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About This Guide 


Welcome to the Encentuate 1AM Provisioning Integration Guide. 

Use this guide to configure, manage, and troubleshoot the different provisioning 
integration solutions for Encentuate 1AM. 

Purpose 

This guide provides procedures to help configure and maintain the provisioning 
integration solutions against Encentuate 1AM. 

Audience 


The target users for this integration guide are highly technical users that can 
understand how an Encentuate product can be enhanced and customized for user 
provisioning purposes. 

What's in this guide 

About 1AM Provisioninc provides an overview of Encentuate 1AM and how other 
provisioning solutions can integrate with 1AM. 

Encentuate Provisioning API describes the Encentuate 1AM Provisioning API for 
provisioning and its integration mechanism with third-party identity provisioning 
systems. 

IBM Tivoli Integration details setup and configuration steps required for the 
integration of the IBM Tivoli Identity Manager (ITIM) provisioning system with 
Encentuate 1AM. It also provides procedures to create an AccessProfile for ITAM 
and to configure ITAM as an authentication service. 

M-Tech ID-Svnch defines setup and configuration steps required for the integration 
of the M-Tech ID-Synch provisioning system with Encentuate 1AM. 







Appendices provides additional information on troubleshooting and other ways of 
customizing and enhancing HIM with Encentuate 1AM 


Glossary and Abbreviations defines all the commonly-used terms and 
abbreviations used throughout the guide. 


Document conventions 


Refer to this section to understand the distinctions of formatted content in this 
guide. 

Main interface elements 

The following are highlighted in bold text in the guide: dialog boxes, tabs, panels, 
fields, check boxes, radio buttons, fields, buttons, folder names, policy IDs/names, 
and keys. Examples are: OK, Options tab, and Account Name field. 

Navigation 

All content that helps users navigate around an interface is italicized (for example: 
Start > > Run > > All Programs) 

Cross-references 

Cross-references refer you to other topics in the guide that may provide additional 
information or reference. Cross-references are highlighted in green and display 
the referring topic's name (for example: Document conventions ). 

Hyperlinks 

Hyperlinks refer you to external documents or Web pages that may provide 
additional information or reference. Hyperlinks are highlighted in blue and display 
the actual location of the external document or Web page (for example: http:// 
www.encentuate.com ). 


Scripts, commands, and code 

Scripts, commands, or code are those entered within the system itself for 
configuration or setup purposes, and are usually formatted in a Courier font. 

For example: 

<script language="JavaScript"> 

<!-- 

ht_basename = "index.php"; 

ht_dirbase = ""; 

ht_dirpath = "/" + ht_dirbase; 
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II—> 


</script> 


Tips or Hints 



Tips or hints help explain useful information that would help perform certain tasks 
better. 


Warnings 


Warnings highlight critical information that would affect the main functionalities of 
the system or any data-related issues. 


Document conventions 
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About 1AM Provisioning 


Provisioning systems have increasingly become critical components of the 
enterprise identity and access management strategy. A provisioning system 
provides identity lifecycle management for application users in enterprises and 
manages their credentials. 

Encentuate 1AM, an enterprise access security solution, provides real-time 
implementation of access security policies for users and applications. An 
integration between a provisioning system with Encentuate 1AM access security 
solution results in a complete identity and access management solution. 

The complete solution provides automatic application account provisioning, a 
central view of all application accounts, sign-on/sign-off automation, 
authentication management, user-centric audit logs and report generation, and 
centralized de-provisioning for all accounts. 

This chapter covers the following topics: 

■ About Identity and Access Management flAMI 

■ Provisioning key features and benefits 

■ 1AM integration solutions 

About Identity and Access 
Management (1AM) 

Encentuate 1AM is the first enterprise access security (EAS) solution that allows 
enterprises to simplify, strengthen, and track access to their digital assets and 
physical systems. Enterprises do not have to choose between strong security and 
convenience; they can have both. 

Encentuate 1AM combines sign-on/sign-off automation, authentication 
management and user tracking to provide a seamless path to strong digital 
identity. Encentuate 1AM transparently increases security, enhances user 
convenience, and provides integrated access across existing information, network, 
and physical systems. 






Encentuate 1AM has two main components: Encentuate AccessAgent ond 
Encentuate IMS Server. User credentials are stored in an Encentuate Wallet on the 
IMS Server. A user logs on to the Wollet by presenting one or more authentication 
factors to AccessAgent. AccessAgent then performs automatic sign-on to any 
enterprise application, which can be Windows-based, Web-based, mainframe- 
based or terminal-based. 


Provisioning key features and benefits 

An identity provisioning system helps enterprises ensure that the right users have 
access to the right applications and infrastructure. It provides a secure, automated 
and policy-based identity lifecycle management solution that helps enterprises 
automate provisioning and de-provisioning of all user accounts, and provides a 
centralized view of all application credentials. 

The embedded provisioning engine creates user credentials based on policies and 
defines the entitlements of the user accounts. It quickly connects users to 
appropriate enterprise resources while reducing administrative workload. 

Greater security through strict policy definition and 
enforcement 

Encentuate 1AM enforces strict, user-defined access security policies, and ensures 
all users meet these policies by managing their access privileges. Security is not 
compromised in any way, because Administrators do not see users' passwords - 
they only manage user access rights. This significantly strengthens the security 
culture within an enterprise. Encentuate IMS Connectors provide seamless 
enforcement of password change and fortification without user inconvenience. 

Enforcement of regulatory compliance requirements 

Encentuate strengthens information access and provides user-centric audit logs, 
while provisioning systems enforce access control for sensitive data. Together, the 
Encentuate lAM's Provisioning API and the selected integration provide enterprises 
with a way to comply with regulations, such as Sarbanes-Oxley, the Gramm- 
Leach-Bliley Act, HIPAA, and the California SB 1386. 

Improved employee productivity 

Encentuate 1AM assists users in managing their credentials. When users launch an 
application, AccessAgent auto-fills their credentials and authenticates the users to 
the application server. 

Integrating Encentuate 1AM with another provisioning system provides convenience 
to users by consolidating credential management, allowing Administrators to 
centrally manage and administer users' consolidated accounts. Users do not have 
to remember any application passwords. 
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Streamlined user-centric administration 

The integration with Encentuate 1AM eliminates the need for Administrators to 
manage too many application accounts. Administrators can automatically 
provision and administer users' multiple application accounts from one centralized 
system. 

Integration with Encentuate 1AM also eliminates the need to update users on 
changes to application credentials since application credential changes are 
automatically updated to the Wallets; all that users have to know is how to log on 
to the Wallet; any new application credential will automatically show up in the 
Wallet. 

Fast return on investment 

The integration of Encentuate lAM's Provisioning API with another provisioning 
system allows Administrators to manage multiple user accounts from one location. 
The centralized process renders manual updates on individual accounts obsolete, 
which results in the significant reduction of time and costs associated with user 
account management. Consequently, the time and costs saved can be channeled 
to other areas of network administration. 


I AM integration solutions 

Encentuate 1AM can integrate with various identity provisioning systems to provide 
a complete identity and access management solution. 

At present, the following provisioning systems can integrate with Encentuate 1AM. 
For more information, see the separate chapters on each system. 

■ Encentuate Provisioning Application Programming Interface (API), see Encentu¬ 
ate Provisioning API 

■ IBM Tivoli, see IBM Tivoli Integration 

■ M-Tech ID-Synch, see M-Tech ID-Svnch 


I AM INTEGRATION SOLUTIONS 
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Encentuate Provisioning API 


This chapter describes the Encentuate 1AM Provisioning API for provisioning and its 
integration mechanism with third-party identity provisioning systems. 

The chapter provides a reference for the SOAP API, as well as a guide for 
developing the SOAP client and configuring the IMS Server. For identity 
provisioning systems that support Java-based connectors, this chapter can also 
serve as a reference for the Java API, as well as a guide for developing the 
integration module and configuring the IMS Server. 

This chapter covers the following topics: 

■ About Encentuate API 

■ Minimum requirements 

■ Available API types 

■ Using Java API for provisioning 

■ Using SOAP API for provisioning 

■ Provisioning API setup and maintenance 

About Encentuate API 


While the identity provisioning system provides the identity lifecycle management 
for application users, Encentuate 1AM provides real-time implementation of access 
security policies for users and applications. 

The integrated solution delivers seamless identity and access management that 
provides application account provisioning, a centralized view of all application 
accounts, sign-on/sign-off automation, authentication management, user-centric 
audit logs and reporting, and centralized de-provisioning of all accounts. The 
identity provisioning system needs to communicate with the IMS Server in order to 
populate and manage credentials in the Wallet. 










The Encentuate IMS Bridge offers a Java interface to the identity provisioning 
system to communicate with the IMS Server. If it is not possible to use the Java 
interface, an Encentuate IMS Bridge that communicates directly with the IMS Server 
using SOAP will have to be developed for the identity provisioning system. 

The workflow of the provisioning process is illustrated in the following diagram: 



Communications between the identity provisioning system and the IMS Server are 
done using Simple Object Access Protocol (SOAP) over HTTPS. When the identity 
provisioning system provisions new users or new accounts for a user application, 
resets application passwords for users, de-provisions an enterprise user or an 
application account, it makes appropriate SOAP calls to the IMS Server with 
relevant account data information. 



Encentuate Wallet 
(Passwords, Credentials, Policies) 


Encentuate AccessAgent 



SSO platforms 


Applications: 

1. Windows 

2. Java 

3. Citrix-published 
Mainframe terminals 




^ Application 
accounts 





J 






Communication process between the provisioning system and the IMS Server 
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The IMS Server accordingly creates a new user, populates the users' Wallet with the 
new account data, updates credentials, deletes accounts or revokes a user. 


With this integration, users can enjoy single sign-on to provisioned accounts 
immediately upon sign on to Encentuate, and Administrators can revoke 
application access centrally by automatically removing credentials from the 
Encentuate Wallet. 


Minimum requirements 

■ Encentuate IMS Server: 3.0.0.0 and above 

■ Encentuate AccessAgent: 3.0.3.4 and above 

■ (Java API only) IMS Bridge should be deployed with Sun JVM version 1.4.x. 

Available API types 

The developer may choose between two sets of APIs to integrate an identity 
provisioning system with 1AM. These are described in detail in the sections that 
follow. 

■ Java API for Provisioning 

This is the recommended API to use for identity provisioning systems that sup¬ 
port Java-based connectors for integration with third-party systems. The Java 
API provides a wrapper around the SOAP API so as to simplify its operations. 
For example, encryption of application passwords is performed by the pro¬ 
vided IMS Bridge, and hence, is transparent to the developer. 

■ SOAP API for Provisioning 

If the Java API cannot be used, the developer may choose to use the SOAP API 
instead. The advantage of the SOAP API is that it is programming language 
independent, and hence, the provisioning agent can potentially be written in 
any programming language native to the identity provisioning system. 

Using Java API for provisioning 

Encentuate provides a set of Java APIs for integration with identity provisioning 
systems. 


Minimum requirements 



The standard distribution of provisioning bridge contains the following directories: 


■ /bin: contains binary executables or scripts to invoke functions provided by IMS 
Bridge 

■ /lib: contains libraries for IMS Bridge 

■ /docs: contains configuration and deployment guide 

■ /config: sample configuration files for IMS Bridge 

Configuring a certificate store for the 
IMS Bridge (Java Provisioning API) 

The IMS Bridge communicates with the IMS Server using one-way SSL. This means 
that the IMS Bridge needs to trust the IMS SSL certificate. If you are deploying the 
IMS Bridge on an application server, where there is already one common trust 
store shared by different applications, you need to import the IMS SSL certificate 
into the key store as one trusted CA entry. 

Alternatively, you need to create one key store using the Java key tool utility. Then, 
you need to configure the IMS Bridge to use the above trusted store. 

Be sure to complete the steps in Configuring The IMS Server . 

Configuring the IMS Bridge 

The IMS Bridge is packaged with a sample configuration file as follows: 

<?xml version="l.0" encoding="UTF-8"?> 

<Config> 

<main> 

<ims .serverName> 

•Cvalue xml:lang="en">ims.yourcompany.com</value> 

</ims.serverName> 

<ims.httpsPort> 

•Cvalue xml:lang="en">443</value> 

</ims.httpsPort> 

<ims.httpPort> 

Cvalue xml:lang="en">80</value> 
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</ims.httpPort> 


<ims.servicePath> 

<value xml:lang="en">/ims/services</value> 

</ims.servicePath> 

<provisioningbridge.truststore> 

<value xml:lang="en">test\config\test_keystore</value> 
</provisioningbridge.truststore> 

<provisioningbridge.jvm.environment.initialized 
<value 

xml:lang="en">encentuate.bridges.provisioning.GenericJvmEnviron 
mentlnitializer</value> 

</provisioningbridge.jvm.environment.initialized 
<provisioningbridge.truststorePassword> 

<value xml:lang="en">password</value> 

</provisioningbridge.truststorePassword> 

<provisioningbridge.authenticationService.mapping> 

<value xml:lang="en">ActiveDirectory:dir_ad</value> 

<value xml:lang="en">LotusNotes:dir_notes</value> 
</provisioningbridge.authenticationService.mapping> 

</main> 

</Config> 

Refer to the following descriptions of XML parameters. Some of the parameters are 
optional. 

ims.serverName 

The DNS name of the IMS Server. 
ims.httpsPort (Optional) 

The port IMS Server listens to for HTTPS request. The default is 443. 
ims.httpPort (Optional) 

The port IMS Server listens to for HTTP request. The default is 80. 
ims.servicePath (Optional) 

The root path of IMS services. The default is /ims/services/. Note that the value 
should start with 
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provisioningbridge.trustStore (Mandatory for CLT only) 

The trust store used by IMS Bridge (Example: C:\path\to\truststore). This con¬ 
figuration does not take effect if there is already one system property set for 

javax.net.ssl.trustStore. 

provisioningbridge.trustStorePassword (Mandatory for CLT only) 

Password of the trust store used by IMS Bridge. This configuration does not 
take effect if there is already one system property set for javax.net.ssl.trust- 
StorePassword. 

provisioningbridge.password.encryption.algorithm (Optional) 

The algorithm that encrypts the provisioned application passwords. The default 
algorithm is RSA/NONE/PKCS1 Padding. 

provisioningbridge.password.encryption.transformation (Optional) 

The transformation ID that corresponds to the encryption algorithm. The 
default is RSA/NONE/PKCS1 Padding/2048/ProvisionKeypair. 

provisioningbridge.authenticationService.mapping (Optional) 

The mapping of application IDs on the host provisioning system to IMS 
Server's representation. The format of each value of this configuration key 
should follow the format: prov_system_app_ID:IMS_server_app_ID. 

For example, you have configured an authentication service for Active Direc¬ 
tory in IMS Server called dir_encentuate.com. However, the internal represen¬ 
tation for the same authentication service in your provisioning system is 
ENCENTUATE. You will then need to include the following configuration key: 

<provisioningbridge.authenticationService.mapping> 

<value xml:lang=:"en">ENCENTUATE:dir_encentuate.com</value> 

</provisioningbridge.authenticationService.mapping> 

provisioningbridge.jvm.environment.initializer (Optional) 

Name of a class that implements the JvmEnvironmentlnitializer interface, 
which sets up the JVM environment such as JAVA system properties before IMS 
Bridge starts to run. The default is encentuate.bridges.provisioning.GenericEn- 
vironmentlnitializer. 

Developing an integration module 
using the IMS Bridge 

To integrate with the IMS Bridge after installing and configuring the IMS Bridge: 

O Develop against the IMS Bridge Java API and compile. 

0 Place all necessary classes in the JRE class path. 
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The following sample code uses the IMS Bridge Java API. It creates and 
revokes a user with user name "james" in a deployment that does not have 
multiple Active Directory (AD) domains. 

import encentuate.bridges.provisioning; 

public class IntegrationModule { 

int userStatus; 

List appAccounts = new List(); 

// Instantiates the Provisioning Bridge 
ProvisioningBridge bridge = 
new ProvisioningBridge("C:\imsBridgeConfig.xml"); 

// Login to the IMS Bridge using the shared secret, 
bridge.login("provisioning_system", "xyzl23 "); 

// Creates an account on the IMS Server for this user if 

// he doesn't already have an one. 

bridge.createImsAccount("james", "abcabc"); 

// Get registration status of the user account 
// on the IMS Server. 

userStatus = bridge.getRegistrationStatus("james"); 

// Once the IMS account is created, the provisioning system 
// can app application account data to the credential 
// Wallet of this IMS account. 

// Adds a "SQL DB" account with user name "james.h" to the 
// user's credential Wallet, 
bridge.createAppAccountData 
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("james", "SQL DB", "james.h", "abcdef"); 

// Get a list of accounts in the user's 
// credential Wallet. 

appAccounts = bridge.getUserAccounts("j ames"); 

// Deletes an application account data from the user's 
// credential Wallet 

bridge.deleteAppAccountData("james", "SQL DB", "james.h"); 

// Revokes the IMS user and invalidates his credential 
// Wallet 

bridge.revokelmsAccount("j ames"); 

// Logout from the IMS Bridge 
bridge.logout(); 

Using the Command Line Tool (CLT) 

The IMS Bridge APIs can be invoked using CLTs. To use CLT, you need to use a 
utility called commons-launcher in the /bin folder. 

The following XML parameters must be set for CLT use: 

■ provisioningbridge.trustStore 

■ provision ingbridge.trustStorePassword 

For more information, see the descriptions of the parameters in Configuring the 
IMS Bridge . 

To provision a new IMS user, you can issue a command in the command prompt 
as follows: 

java -cp C:\provisioningbridge\bin LauncherBootstrap run \ 

—configFile \ 

C:\provisioningbridge\config\provisioningBridge.xml \ 
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--loginld bridge --password password —task addlmsUser \ 

--imsUserld test.encentuate.com\james --imsUserPassword \ 
password —userPrincipalName james@test.encentuate.com \ 

—samAccountName james --domainDnsName test.encentuate.com 

To add a new application account to the Wallet of an IMS user, you can issue a 
command in the command prompt as follows: 

java -cp C:\provisioningbridge\bin LauncherBootstrap run \ 

—configFile \ 

C:\provisioningbridge\config\provisioningBridge.xml \ 

--loginld bridge --password password —task add --imsUserld \ 
test.encentuate.com\james —appld \ 

dir_alpha.test.encentuate.com —appUserld james --appPassword \ 
password 

To update an application account that has been stored in the Wallet of an IMS 
user, you can issue a command in the command prompt as follows: 

java -cp C:\provisioningbridge\bin LauncherBootstrap run \ 

—configFile \ 

C:\provisioningbridge\config\provisioningBridge.xml --loginld \ 
bridge --password password --task set --imsUserld \ 
test.encentuate.com\james —appld \ 

dir_alpha.test.encentuate.com —appUserld james --appPassword \ 
password 

To delete an application account that is stored in the Wallet of an IMS user, you 
can issue a command in the command prompt as follows: 

java -cp C:\provisioningbridge\bin LauncherBootstrap run \ 

—configFile \ 

C:\provisioningbridge\config\provisioningBridge.xml --loginld \ 
bridge --password password --task delete --imsUserld \ 
test.encentuate.com\james —appld \ 
dir_alpha.test.encentuate.com —appUserld james 
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To check a user's registration status, you can issue a command in the command 
prompt as follows: 


java -cp C:\provisioningbridge\bin LauncherBootstrap run \ 

—configFile \ 

C:\provisioningbridge\config\provisioningBridge.xml --loginld \ 
bridge --password password --task \ 

registrationStatus --imsUserld test.encentuate.com\james 

To get a user's Wallet contents, you can issue a command in the command prompt 
as follows: 

java -cp C:\provisioningbridge\bin LauncherBootstrap run \ 

—configFile \ 

C:\provisioningbridge\config\provisioningBridge.xml --loginld \ 
bridge --password password --task walletAccountlnfo \ 

—imsUserld test.encentuate.com\james 

Java API classes 

The IMS Bridge interfaces with third party identity provisioning systems via the 
class: encentuate. bridges, provisioning. Provisioning Bridge 

The API of this class is as follows: 

ProvisioningBridge (Constructor) 

Constructor of the class. 

public ProvisioningBridge(String configFile) 
throws ProvisioningBridgeException 

Parameters: 

configFile - The full path name of the IMS configuration file. 

Throws: 

ProvisioningBridgeException - If there are errors while reading the configura¬ 
tion file, this exception is thrown with an error code BAD_CONFIGURATION. 
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login 

Authenticates the IMS Bridge to the IMS Server using a preconfigured shared 
secret. This method must be called first before other methods in the API can be 
used. 

public void login(String serverld, String serverPassword) 

throws ProvisioningBridgeException, IllegalArgumentException 


Parameters: 

serverld 

The case-insensitive ID of the server on which the IMS Bridge is running. This is 
preconfigured in the IMS Server as part of the shored secret for the IMS Bridge 
to login to IMS Server. 

serverPassword 

The corresponding cases-sensitive password for this shared secret. 

Throws: 

ProvisioningBridgeException - If login fails, with these possible error codes: 

INVALID_LOCIN 

If the serverld and serverPassword pair doesn't match any preconfigured 
shared secret, or if the IP of this server doesn't match that preconfigured on the 
IMS Server. 

ACCESS_DENIED 

If the login account has no access to IMS provisioning services. 

REMOTE-EXCEPTION 

If there are exceptions when calling IMS SOAP services. 

logout 

Logs out from the IMS Server at the end of the session, 
public void logout() 

Parameters: 

None 

Throws: 

ProvisioningBridgeException - If logout fails, with these possible error codes: 

AUTHENTICATION-NEEDED 

If this method is called before the IMS Bridge has logged on to the IMS Server. 
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IMS_SERVER_ERROR 

If there was an error on the server that prevented this call from succeeding. 


createlmsAccount 

This method creates an account on the IMS Server using the given user name and 
initial password. User attributes are optional, depending on whether the 
deployment has multiple Active Directory (AD) domains. An IMS account is 
necessary for all the other provisioning tasks. 

public void createlmsAccount(String imsUserld, String 
initialPassword) 

throws ProvisioningBridgeException 

public void createlmsAccount(String imsUserld,String 
initialPassword, Hashtable userAttrs) 

throws ProvisioningBridgeException 


Parameters: 

imsUserld 

The user name for the new account on the IMS Server. This should be the same 
as the user's primary enterprise identity, e.g., domain user name. In a deploy¬ 
ment with multiple AD domains, the format of the user name should be of the 
form dnsDomain\sAMAccountName (e.g., "encentuate.com\username"). 

initialPassword 

The initial password to be set on IMS Server for the new account. 
userAttrs 

A hash table that contains user attributes in name-value pairs. This parameter 
should be supplied if the deployment has multiple AD domains. Currently, the 
following user attributes are supported: 

• userPrincipalName (optional): UPN of the user account. (This is only useful 
when enterprise directory is AD.) 

• domainDnsName: DNS domain name of the enterprise directory. 

• samAccountName: sAMAccountName of the AD user account. (This is only 
useful when enterprise directory is AD.) 

• directoryld (optional): ID of enterprise directory that holds the user account. 
(This is optional if there is only one enterprise directory configured in the IMS 
Server.) 

Throws: 

ProvisioningBridgeException - If a new account cannot be created on the IMS 
Server, with these possible error codes: 
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AUTHENTICATION _NEEDED 

If this method is called before the IMS Bridge has logged on to the IMS Server. 

USERISREGISTERED 

If imsUserld already exists on the IMS Server. 

USERISREVOKED 

If imsUserld is registered but is already revoked. 

deletelmsAccount 

This method deletes a user account from the IMS Server and invalidates the user's 
credential Wallet. An account of the same user name can be created subsequent to 
this call. 

public void deletelmsAccount(String imsUserld) 
throws ProvisioningBridgeException 


Parameters: 

imsUserld 

The user name of the account to be deleted from the IMS Server. In a deploy¬ 
ment with multiple Active Directory (AD) domains, the format of the user name 
should be of the form dnsDomain\sAMAccountName (e.g., "encentu- 
ate.com\username"). 

Throws: 

ProvisioningBridgeException - If deletion fails, with these possible error codes: 

AUTHENTICATION-NEEDED 

If this method is called before the IMS Bridge has logged on to the IMS Server. 

USERISREVOKED 

If imsUserld had been revoked on the IMS Server. 

REMOTE_EXCEPTION 

If invocation of IMS service fails. 

revokelmsAccount 

This method revokes a user account from the IMS Server and invalidates the user's 
credential Wallet. An IMS user account cannot be created with the same user name 
as a revoked account. 

public void revokelmsAccount(String imsUserld) 
throws ProvisioningBridgeException 
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Parameters: 


imsUserld 

The user name of the IMS account to revoke. In a deployment with multiple 
Active Directory (AD) domains, the format of the user name should be of the 
form dnsDomain\sAMAccountName (e.g., "encentuate.com\username"). 

Throws: 

ProvisioningBridgeException - If revocation fails, with these possible error 
codes: 

AUTHENTICATION _NEEDED 

If this method is called before the IMS Bridge has logged on to the IMS Server. 

REMOTE-EXCEPTION 

If invocation of IMS service fails. 

getRegistrationStatus 

This method returns the registration status of a user account on the IMS Server, 
public int getRegistrationStatus(String imsUserld) 
throws ProvisioningBridgeException 


Parameters: 

imsUserld 

The user name of the IMS account to be checked. In a deployment with multi¬ 
ple Active Directory (AD) domains, the format of the user name should be of 
the form dnsDomain\sAMAccountName (e.g., "encentuate.com\username"). 

Returns: 

Returns one of the following result codes: 

ResultCode. USER_NOT_REGISTERED 

User is not found on the IMS Server. 

ResultCode. USERJS-REGISTERED 

User is found on the IMS Server and is registered. 

ResultCode. USERJS-REVOKED 

User is found on the IMS Server but is revoked. 

ResultCode.DATASTORE_EXCP 

A database access error has occurred. 

ResultCode. NOT_OK 

The method could not return the registration status due to some error. 
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Throws: 


ProvisioningBridgeException - If the call fails, with these possible error codes: 

AUTHENTICATION_NEEDED 

If this method is called before the IMS Bridge has logged on to the IMS Server. 

IMS_SERVER_ERROR 

If there was on error on the server that prevented this coll from succeeding. 

addAppAccountData 

This method adds an application account data to the user's credential Wallet. The 
account must not already exist in the Wallet. 

public void addAppAccountData (String imsUserld, String appld, 
String appUserld,String appPassword) 

throws ProvisioningBridgeException 


Parameters: 

imsUserld 

The user name of the IMS account whose credential Wallet is to be modified. 
In a deployment with multiple Active Directory (AD) domains, the format of the 
user name should be of the form dnsDomain\sAMAccountNome (e.g., 
"encentuate.com\username"). 

appld 

The provisioning system's unique identifier for the application to which this 
account data belongs. 

appUserld 

The user name of the application account data to add. 

appPassword 

The password of the application account data to add. 

Throws: 

ProvisioningBridgeException - If the application account data cannot be set in 
the user's Wallet, with these possible error codes: 

AUTHENTICATION_NEEDED 

If this method is called before the IMS Bridge has logged on to the IMS Server. 

USER_IS_NOT_RECISTERED 

If imsUserld is not registered on the IMS Server. 

USER_IS_REVOKED 

If imsUserld had been revoked on the IMS Server. 
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ACCO UNT_DATA_EXISTS 

If the account data already exists. 


UNKNOWN _AUTH_SERVICE 

If appld did not map to a valid application identifier on the IMS Server. 

IMS_SERVER_ERROR 

If there was an error on the server that prevented this call from succeeding. 

updateAppAccountData 

This method updates an application account data on the user's credential Wallet. 
The account must already exist in the Wallet. 

public void updateAppAccountData(String imsUserld, String 
appld, String appUserld, String appPassword) 

throws ProvisioningBridgeException 


Parameters: 

imsUserld 

The user name of the IMS account whose credential Wallet is to be modified. 
In a deployment with multiple Active Directory (AD) domains, the format of the 
user name should be of the form dnsDomain\sAMAccountName (e.g., 
"encentuate.com\username"). 

appld 

The provisioning system's unique identifier for the application to which this 
account data belongs. 

appUserld 

The user name of the application account data to update. 

appPassword 

The password of the application account data to update. 

Throws: 

ProvisioningBridgeException - If the application account data cannot be set in 
the user's Wallet, with these possible error codes: 

AUTHENTICATION_NEEDED 

If this method is called before the IMS Bridge has logged on to the IMS Server. 

USERISNO T REG I ST ERED 

If imsUserld is not registered on the IMS Server. 

USER_IS_REVOKED 

If imsUserld had been revoked on the IMS Server. 

ACCOUNT_DATA_DOESNT_EXIST 

If the account data doesn't already exist. 
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UNKNOWN _AUTH_SERVICE 

If appld did not map to a valid application identifier on the IMS Server. 

IMS_SERVER_ERROR 

If there was an error on the server that prevented this call from succeeding. 

deleteAppAccountData 

This method deletes an application account data from the user's credential Wallet 
on the IMS Server. 

public void deleteAppAccountData(String imsUserld, String 
appld, String appUserld) 

throws ProvisioningBridgeException 


Parameters: 

imsUserld 

The user name of the IMS account whose credential Wallet is to be modified. 
In a deployment with multiple Active Directory (AD) domains, the format of the 
user name should be of the form dnsDomain\sAMAccountName (e.g., 
"encentuate.com\username"). 

appld 

The provisioning system's unique identifier for the application to which this 
account data belongs. 

appUserld 

The user name of the application account data to delete. 

Throws: 

ProvisioningBridgeException - If the application account cannot be deleted 
from the user's Wallet, with these possible error codes: 

AUTHENTICATION_NEEDED 

If this method is called before the IMS Bridge has logged on to the IMS Server. 

USER IS NOT REGISTERED 

If imsUserld is not registered on the IMS Server. 

USER_IS_REVOKED 

If imsUserld had been revoked on the IMS Server. 

UNKNOWN_AUTH_SERVICE 

If appld did not map to a valid application identifier on the IMS Server. 

IMSSERVERERROR 

If there was an error on the server that prevented this call from succeeding. 
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getUserAccounts 

This method returns a list of accounts in the user's credential Wallet. Only 
password accounts and accounts that are provisioned would be returned. 

public List getUserAccounts(String imsUserld) 

throws ProvisioningBridgeException 


Parameters: 

imsUserld 

The user name of the IMS account to be checked. In a deployment with multi¬ 
ple Active Directory (AD) domains, the format of the user name should be of 
the form dnsDomain\sAMAccountName (e.g., "encentuate.com\username"). 

Returns: 

Returns a list of accounts. If the user does not have any accounts, the list is 
empty. Otherwise, each entry in the list is an instance of Map object. The Map 
object contains selected information for one account and the following keys 
are available: 

USERID 

User name of the account. 

AUTHSVCJD 

The authentication service ID of the account. 

Throws: 

ProvisioningBridgeException - If the call fails, with these possible error codes: 

AUTHENTICATION_NEEDED 

If this method is called before the IMS Bridge has logged on to the IMS Server. 

IMSSERVERERROR 

If there was an error on the server that prevented this call from succeeding. 

Using SOAP API for provisioning 

SOAP (Simple Object Access Protocol) is a protocol for exchanging XML-based 
messages over a computer network, normally using HTTP. SOAP forms the 
foundation layer of the Web services stack, providing a basic messaging 
framework that more abstract layers can build on. 

SOAP services are defined using WSDL (Web Services Definition Language) and 
are accessible via a URL which is known as a SOAP endpoint. 
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Encentuate 1AM provides a SOAP API for identity provisioning systems to 
communicate with the IMS Server to perform provisioning. With the SOAP API, the 
request interface is an object in your application's native programming language. 

A third-party SOAP client can be used to generate business-object interfaces and 
network stubs from a WSDL document that specifies the IMS Server message 
schema, the service address, and other information. 

The SOAP client handles the details of building the SOAP request and sending it to 
the IMS Server, whereas your application would work with data in the form of 
object properties, and it sends and receives the data by calling object methods. 

Identity provisioning for 1AM requires the use of two sets of SOAP APIs: 

■ API for server authentication 

For the provisioning agent to log on and log off the IMS Server. Provisioning 
agents must log on to the IMS Server before invoking other API operations. 

■ API for provisioning service 

For creating/deleting/revoking Encentuate users, and adding/setting/remov- 
ing application account credentials. 

Atypical identity provisioning system contains provisioning agents for provisioning 
users and applications on third-party systems. It is assumed henceforth that the 
provisioning agent would be using the SOAP API to integrate with the IMS Server. 

The provisioning agent first sets up an IMS Server session by logging on to the IMS 
Server. It provisions Encentuate users by specifying their user names and initial 
passwords. It can also provision application credentials by specifying the 
application user names and passwords. 

When necessary, the provisioning agent can also call the appropriate operations to 
reset application passwords, remove application credentials, and delete or revoke 
Encentuate users. Finally, the provisioning agent terminates the session by logging 
off the IMS Server. 

For more information on integrating an identity provisioning system with the IMS 
Server using the SOAP API, see Developing the SOAP client and Configuring the 
IMS Server . 

Usage of the API for provisioning a typical user is as follows: 

O Call loginByPassword to log on to the IMS Server. 

e Call preProvisionlmsUser to provision an Encentuate user. 

© Call createWallet to create a Wallet for the Encentuate user. 

O Call getProvisioningCert to obtain the user's provisioning certificate that would 
be used to encrypt application passwords. 
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© Call addAccountCredential for each application to be provisioned for the user, 
o Call terminateSession to log off the IMS Server. 

Usage of the API for resetting an application password for a user is as fol¬ 
lows: 

O Coll loginByPassword to log on to the IMS Server. 

0 Call getProvisioningCert to obtain the user's provisioning certificate that would 
be used to encrypt application passwords. 

© Call setAccountCredential for the application. 

O Call terminateSession to log off the IMS Server. 

Usage of the API for removing application account credentials for a user 
is as follows: 

O Call loginByPassword to log on to the IMS Server. 

0 Call removeAccountCredential for the application. 

0 Call terminateSession to log off the IMS Server. 

Usage of the API for deleting or revoking an Encentuate user is as fol¬ 
lows: 

O Coll loginByPassword to log on to the IMS Server. 

0 Call deletelmsAccount or revokelmsAccount to delete or revoke the Encentuate 
user. 

0 Call terminateSession to log off the IMS Server. 

Usage of the API for checking the status of an Encentuate user and 
obtaining the list of accounts in the credential Wallet is as follows: 

O Coll loginByPassword to log on to the IMS Server. 

0 Call getRegistrationStatus to check whether the user is registered. If so, call 
getUserAccounts to obtain the list of accounts in the credential Wallet. 

0 Call terminateSession to log off the IMS Server. 

Developing the SOAP client 

The provisioning agent (Encentuate IMS Bridge) must be developed as a SOAP 
client. 
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The SOAP API has been tested on the following platforms: 

■ Microsoft .NET with Visual Studio .NET 

■ Apache Axis 

Other SOAP client environments can be used as long as they support standard 
SOAP messages. 

SOAP tools consume WSDL to generate SOAP client code. The WSDL for this API 
can be obtained from an installed IMS Server at the following URLs (imsserver 
should be replaced by the hostname of your IMS Server): 

■ https://imsserver/ims/services/encentuate.ims.service.ProvisioninaSer- 

vice?wsdl 


■ https://imsserver/ims/services/encentuate.ims.service.ServerAuthentica- 

tion?wsdl 


You can also refer to WSDL for Server Authentication and WSDL for Provisioning 
Service for the list of WSDLs. 

A sample code is available in the following folder that accompanies this document: 
Windows application using Visual C# (win_cs folder). 

To develop the SOAP client (using Visual Studio .NET): 

O Add a Web Reference, directing it to the WSDL for Server Authentication. 
Name it ImsServerAuthentication. 

0 Add a Web Reference, directing it to the WSDL for Provisioning Service. Name 

it ImsProvisioningService. 

0 In the appropriate code, create a new ImsServerAuthentication.ServerAuthenti- 
cationService object. 

o In the appropriate code, create a new ImsProvisioningService.ProvisioningSer- 
viceService object. 

0 Where needed, call the objects' methods. 

To develop the SOAP client (using Apache Axis): 

O Use WSDL2Java to automatically create Java stubs and classes. 

0 In the appropriate code, create a new EncentuateServerAuthenticationServer- 
AuthenticationSoapBindingStub object, directing it to the WSDL for ServerAu- 
thentication. 

0 In the appropriate code, create a new EncentuateProvisioningServiceProvision- 
ingServiceSoapBindingStub object, directing it to the WSDL for Provisioning- 
Service. 
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O Where needed, call the objects' methods. 


Configuring the IMS Server 

To configure the IMS Server for SOAP API, refer to the procedure in Configuring 
The IMS Server . However, note the following: 

■ The provisioning agent communicates with the IMS Server using one-way SSL. 
This means that the provisioning agent needs to trust the IMS Server's SSL cer¬ 
tificate. 

If you are deploying the provisioning agent on an application server, where 
there is already a common trust store shared by different applications, import 
the IMS Server's SSL certificate into the key store as one trusted certification 
authority entry. 

On the Java platform, you can create a key store using the Java key tool utility. 
On the Visual Studio .NET platform, you can store the IMS Server's SSL certifi¬ 
cate in the Windows certificate store using the Certificates snap-in. 

You can use Internet Explorer to download the IMS Server's SSL certificate into 
the Windows certificate store by visiting https://imsserver/ where imsserver is 
the IMS Server's hostname, and then click View Certificate and proceed to 
install the certificate in the Local Computer certificate store. 

Go to Install Certificate > > Next > > Place all certificates in the following 
store >> Browse >> Show physical stores >> Trusted Roof Certification 
Authorities >> Local Computer >> OK >> Next >> Finish. 

■ Ensure that the SOAP client (provisioning agent) specifies the correct provision¬ 
ing agent name, shared secret, authentication service IDs, and account types 
when using the API. 

SOAP API data types 

This section specifies the data types and values that are used by this API. 

resultCode 

<element name="resultCode" type="xsd:int" /> 

Synopsis: 

The result code that is returned by an operation to indicate the operation's success 
or the reason for failure. 
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Value: 


Identifier 

Value (Hex) 

Description 

OK 

0x00000000 

Success. 

NOT_OK 

0x50000001 

Generic failure. 

BAD_CONFIGU RATION 

0x13000110 

Bad IMS Server 
configuration. 

ACCESS_DENIED 

0x53000220 

Incorrect shared 
secret or SOAP client 
IP address is not 
allowed. 

DATASTORE_EXCP 

0x23005000 

A database error 
has occurred. 

BAD_INPUT_PARAMETERS 

0x53000320 

An input parameter 
is null or empty. 

INVALID_LOGIN_CLIENT_IP_MISSING 

0x53000254 

Unable to log on 
because SOAP client 

IP address could not 
be found. 

INVALID_SESSION 

0x53000200 

Session ID is not 
valid. 

UNKNOWN_AUTH_SERVICE 

0x53008101 

The requested 
authentication ser¬ 
vice does not exist. 

INVALID_AUTH_SERVICE 

0x53008150 

The requested 
authentication ser¬ 
vice has not been 
correctly defined. 

1NVALI D_ACCOUNT_DATA_TEMPLATE 

0x53008151 

The account data 
template specified 
for the authentica¬ 
tion service does not 
match the fields 
given as inputs. 

user_is_regTstered 

0x53000282 

The specified user is 
registered. 

USER_IS_REVOKED 

0x53000259 

The specified user 
has been revoked. 

USER_NOT_REGISTERED 

0x53000284 

The specified user is 
not yet registered. 

UNSUPPORTED_AUTH_MECHANISM 

0x53008251 

The authentication 
service does not sup¬ 
port authentication 
by password. 
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Identifier 

Value (Hex) 

Description 

UNKNOWN DATA STORAGE TEMPLA 
TE 

0x53008301 

There is an error 
obtaining the stor¬ 
age template for the 
authentication ser¬ 
vice. 

ACCOUNT_ALREADY_EXISTS 

0x53008402 

The account being 
added already exists 
for the user. 

ENTRY_NOT_FOUND 

0x23005530 

The specified user is 
not found. 

UNEXPECTED_WARNING 

0x23000002 

An encryption error 
has occurred. 

UNKNOWN ACCOUNT DATA TEMPL 
ATE 

0x53008102 

There is an error 
obtaining the 
account data tem¬ 
plate for the authen¬ 
tication service. 

ACCOUNT_NOT_FOUND 

0x53008403 

The account to be 
deleted does not 
exist. 


resultstring 

<element name="resultstring" nillable="true" type="xsd:string" 
/> 

Synopsis: 

The result string that is returned by an operation to indicate the operation's output. 

Value: 

Depends on the operation. 

ResultMessage 

<complexType name="ResultMessage"> 

<sequence> 

<element name="resultCode" type="xsd:int" /> 

<element name="resultstring" nillable="true" type="xsd:string" 
/> 

</sequence> 

</complexType> 
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<element name="ResultMessage" nillable="true" 
type="tn s l:ResultMessage" /> 

Synopsis: 

The composite result message that is returned by an operation to indicate the 
operation's success/failure as well as its output. 

Value: 

Depends on the operation. 

NameValue 

<complexType name="NameValue"> 

<sequence> 

<element name="name" nillable="true" type="xsd:string"/> 
<element name="value" nillable="true" type="xsd:string"/> 
</sequence> 

</complexType> 

Synopsis: 

Name value pair for a user attribute. 

Value: 

For example, to set a user's mobile phone number for receiving Mobile 
ActiveCodes, name should be set to "gsmNumber" and value should be set to a 
mobile phone number of the format "1 -61 7-12345678". 

Resu It ArrayMa p 

<complexType name="ResultArrayMap"> 

<sequence> 

<element name="maps" nillable="true" 
type="impl:ArrayOf_apachesoap_Map"/> 

<element name="resultCode" type="xsd:int"/> 

</sequence> 

</complexType> 

<element name="ResultArrayMap" nillable="true" 
type="tnsl:ResultArrayMap"/> 
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<complexType name="ArrayOf_apachesoap_Map"> 
<complexContent> 

<restriction base="soapenc:Array"> 

<attribute ref="soapenc:arrayType" 
wsdl:arrayType="apachesoap:Map[]"/> 

</restriction> 

</complexContent> 

</complexType> 

<complexType name="Map"> 

<sequence> 

<element maxOccurs="unbounded" minOccurs="0" name="item"> 
<complexType> 

<all> 

<element name="key" type="xsd:anyType"/> 

<element name="value" type="xsd:anyType"/> 

</all> 

</complexType> 

</element> 

</sequence> 

</complexType> 

Synopsis: 

The composite result message that is returned by an operation to indicate the 
operation's success/failure as well as an array of Maps as its output. 

Value: 

Depends on the operation. 
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SOAP API operations 

Server authentication 

This section specifies the operations that are offered by the API for server 
authentication. 

loginByPassword 

public ResultMessage loginByPassword( 

String serverld, String password); 

Synopsis: 

To log on to the IMS Server as a provisioning agent. 

This operation requests the IMS Server to issue a session ID that can be used in 
other provisioning operations. 

Arguments: 

serverld 

The "name" of the provisioning agent. This should correspond to the provi¬ 
sioning agent name setting in the IMS Server configuration file (see IMS Server 
Configuration section). 

password 

The shared secret between the provisioning agent and the IMS Server. 

Return Value: 

Returns ResultMessage, which consists of resultCode and resultstring. 

Returns session ID in resultstring if resultCode is OK. 

Returns error message in resultstring if resultCode is not OK. 

Remarks: 

This operation should be used to log on to the IMS Server before other operations 
of this API can be invoked. The session ID returned by this operation is to be used 
in other operations of this API. 

terminateSession 

public int terminateSession(String sessionKey); 

Synopsis: 

To terminate the session. 
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This operation requests the IMS Server to terminate the session for the specified 
sessionld. 

Arguments: 

sessionKey 

The session ID of the session to be terminated. 

Return Value: 

Returns ResultCode. 

Remarks: 

This operation should be used to terminate the session after all required user 
provisioning operations have been performed. 

Provisioning service 

This section specifies the operations that are offered by the API for provisioning 
service. Before using any of these operations, a session ID must already be 
obtained through the loginByPassword operation of the API for server 
authentication. 

addAccountCredential 

public int addAccountCredential( 

String sessionld, String enterpriseld, String authld, 

String accountType, String username, String password); 

Synopsis: 

To add provisioned account credentials for a user. 

This operation requests the IMS Server to add a set of application account 
credentials for an existing Encentuate user. For security, the password is to be 
encrypted using the user's provisioning certificate. 

Arguments: 

sessionld 

The session ID of the provisioning agent. 
enterpriseld 

The enterprise ID (Encentuate user name) of the user to be provisioned. In a 
deployment with multiple Active Directory (AD) domains, the format of the user 
name should be of the form dnsDomain\sAMAccountName (e.g., "encentu¬ 
ate. com\userna me"). 
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authld 

The authentication service ID of the user account to be provisioned. 

accountType 

The type of account to be provisioned: "Password", "OTP", "MAC", or "Certifi¬ 
cate". 

username 

The application user name of the user account to be provisioned. 
password 

The password in Base64, encrypted by the user's provisioning encryption cer¬ 
tificate in an XML snippet of the following form: 

<password transformation^’RSA/None/PKCSlPadding/2048/ 
ProvisionKeypair”> 

QtOpkLOeWD+7vMPLUIVYHJFHijY+2ggvmlC26raOXMZBURrbQRbgvXeI4SA5tuh 

7EuBkLJWjC/fhivpBqmz2NmlersSUFZ4IQxYeOEXDtxBmkSF149I/ 

eieUVzhVcyvrzkP276FPX4Y01Miz/S4fq9o4Xs7Wlr33Nu2tKSCVwvNWZlR2/ 

DtRTxmHI5ibOROVs3ie7 rdGpG7 5xY6lgwwMUCFeF7VoFZTlT07AXA7 yTlAbOiE 6 

OiYHxhl2VTASNPo8SegGlvZqjrxrzIUbilDloV620C6RhV7D741iXykhZmmxBH/ 

UWvaK3GlIlxE/Cva39hIE01Uw8mlSPNilgLqLKw== 

</password> 


The password should be encoded in UTF-16LE encoding before it is encrypted. 
After encryption, the byte stream should be in Little-Endian order before conver¬ 
sion into Base64 encoding. 



Return Value: 

Returns resultCode. 

Remarks: 

Before using this operation, the user's provisioning certificate should already be 
obtained through the getProvisioningCert operation. 

createWallet 

public ResultMessage createWallet( 

String sessionld, String enterpriseld, String walletld); 

Synopsis: 

To create a Wallet with the given enterprise ID. 

This operation requests the IMS Server to create a Wallet for the provisioned user. 
A Wallet will only be created for the user if he does not already have a Wallet. 
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Arguments: 


sessionld 

The session ID of the provisioning agent. 
enterpriseld 

The enterprise ID (Encentuate user name) of the user to be provisioned. In a 
deployment with multiple Active Directory (AD) domains, the format of the user 
name should be of the form dnsDomain\sAMAccountName (e.g., "encentu¬ 
ate. com\userna me"). 

walletld 

The ID of the Wallet to be created. If this parameter is null or empty, a Wallet 
ID will be generated. 

Return Value: 

Returns ResultMessage, which consists of resultCode and resultstring. 

Returns Wallet ID in resultstring if resultCode is OK. 

Remarks: 

This operation should be used to create a Wallet after a user has been provisioned. 

deletelmsAccount 

public int deletelmsAccount( 

String sessionld, String enterpriseld); 

Synopsis: 

To delete an Encentuate user. 

This operation requests the IMS Server to delete an Encentuate user and the 
corresponding Wallet. If deleted, a user will be completely removed from the IMS 
database. Another user of the same enterprise ID can be provisioned again later 
on. 

Arguments: 

sessionld 

The session ID of the provisioning agent. 
enterpriseld 

The enterprise ID (Encentuate user name) of the user to be provisioned. In a 
deployment with multiple Active Directory (AD) domains, the format of the user 
name should be of the form dnsDomain\sAMAccountName (e.g., "encentu¬ 
ate. com\userna me"). 
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Return Value: 


Returns resultCode. 

getProvisioningCert 

public ResultMessage getProvisioningCert( 

String sessionld, String enterpriseld); 

Synopsis: 

To get the specified user's X.509 provisioning certificate. 

This operation requests the IMS Server to return the X.509 certificate that can be 
used to encrypt passwords for provisioned account credentials. 

Arguments: 

sessionld 

The session ID of the provisioning agent. 
enterpriseld 

The enterprise ID (Encentuate user name) of the user to be provisioned. In a 
deployment with multiple Active Directory (AD) domains, the format of the user 
name should be of the form dnsDomain\sAMAccountName (e.g., "encentu¬ 
ate. com\userna me"). 

Return Value: 

Returns ResultMessage, which consists of resultCode and resultstring. 

Returns user's provisioning encryption certificate in resultString if resultCode is OK. 
The certificate is a Base64-encoded X.509 (.CER) certificate. 

Remarks: 

This operation should be used to obtain a user's provisioning certificate before 
operations for setting account credentials are used: addAccountCredential and 
setAccountCredential. 

getRegistrationStatus 

public int getRegistrationStatus( 

String sessionld, String enterpriseld); 

Synopsis: 

To get the registration status of a user account on the IMS Server. 
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This operation requests the IMS Server to return the registration status of a user 
account, which may not be found or may be revoked. 

Arguments: 

sessionld 

The session ID of the provisioning agent. 
enterpriseld 

The enterprise ID (Encentuate user name) of the user to be provisioned. In a 
deployment with multiple Active Directory (AD) domains, the format of the user 
name should be of the form dnsDomain\sAMAccountName (e.g., "encentu¬ 
ate. com\userna me"). 

Return Value: 

Returns resultCode. 

getUserAccounts 

public ResultArrayMap getUserAccounts( 

String sessionld, String enterpriseld); 

Synopsis: 

To get the list of accounts in a user's credential Wallet. 

This operation requests the IMS Server to return the list of accounts in a user's 
credential Wallet. Only password accounts and accounts that are provisioned 
would be returned. 

Arguments: 

sessionld 

The session ID of the provisioning agent. 
enterpriseld 

The enterprise ID (Encentuate user name) of the user to be provisioned. In a 
deployment with multiple Active Directory (AD) domains, the format of the user 
name should be of the form dnsDomain\sAMAccountName (e.g., "encentu¬ 
ate. com\userna me"). 

Return Value: 

Returns ResultArrayMaps, which consists of resultCode and an array of Maps. If the 
user does not have any accounts, the array is empty. Otherwise, each entry in the 
array is an instance of Map object. The Map object contains selected information 
for one account and the following keys are available: 

USERID 

User name of the account. 
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AUTHSVCJD 

The authentication service ID of the account. 

preProvisionlmsUser 

public int preProvisionlmsUser( 

String sessionld, String enterpriseld, String initialPassword, 
NameValue[] attributes); 

Synopsis: 

To create an Encentuate user. 

This operation requests the IMS Server to create on Encentuate user with the 
specified enterprise ID (Encentuate user name) and initial Encentuate password. 

Arguments: 

sessionld 

The session ID of the provisioning agent. 
enterpriseld 

The enterprise ID (Encentuate user name) of the user to be provisioned. In a 
deployment with multiple Active Directory (AD) domains, the format of the user 
name should be of the form dnsDomain\sAMAccountNome (e.g., "encentu¬ 
ate. com\userna me"). 

initialPassword 

The initial Encentuate password for the user. 
attributes 

Any IMS attributes (name value pairs) that are to be added for the new Encen¬ 
tuate user, null is an acceptable input. The following user attributes are to be 
used for a deployment with multiple AD domains: 

• userPrincipalName (optional): UPN of the user account. (This is only useful 
when enterprise directory is AD.) 

• domainDnsName: DNS domain name of the enterprise directory. 

• samAccountNome: sAMAccountName of the AD user account. (This is only 
useful when enterprise directory is AD.) 

• directoryld (optional): ID of enterprise directory that holds the user account. 
(This is optional if there is only one enterprise directory configured in the IMS 
Server.) 

Return Value: 

Returns resultCode. 
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removeAccount Credential 


public int removeAccountCredential( 

String sessionld, String enterpriseld, String authld, 

String accountType, String username); 

Synopsis: 

To remove provisioned account credentials for a user. 

This operation requests the IMS Server to remove the specified account credentials 
for a user. The account must already exist for the user. 

Arguments: 

sessionld 

The session ID of the provisioning agent. 
enterpriseld 

he enterprise ID (Encentuate user name) of the user to be provisioned. In a 
deployment with multiple Active Directory (AD) domains, the format of the user 
name should be of the form dnsDomain\sAMAccountName (e.g., "encentu¬ 
ate. com\userna me"). 

authld 

The authentication service ID of the user account to be provisioned. 

accountType 

The type of account to be provisioned: "Password", "OTP", "MAC", or "Certifi¬ 
cate". 

username 

The application user name of the user account to be removed. 

Return Value: 

Returns resultCode. 

revokelmsAccount 

public int revokelmsAccount( 

String sessionld, String enterpriseld); 

Synopsis: 

To revoke an Encentuate user. 
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This operation requests the IMS Server to revoke an Encentuate user and the 
authentication factors. If revoked, a user will be marked as revoked in the IMS 
database. New users are not allowed to re-use the enterprise ID of the revoked 
user. 

Arguments: 

sessionld 

The session ID of the provisioning agent. 
enterpriseld 

The enterprise ID (Encentuate user name) of the user to be provisioned. In a 
deployment with multiple Active Directory (AD) domains, the format of the user 
name should be of the form dnsDomain\sAMAccountName (e.g., "encentu¬ 
ate. com\userna me"). 

Return Value: 

Returns resultCode. 

setAccountCredential 

public int setAccountCredential( 

String sessionld, String enterpriseld, String authld, 

String accountType, String username, String password ); 

Synopsis: 

To set provisioned account credentials for a user. 

This operation requests the IMS Server to set the application password of an 
existing user account. This operation will fail if the account data does not already 
exist or the account is not an account of "Password" type. 

Arguments: 

sessionld 

The session ID of the provisioning agent. 
enterpriseld 

The enterprise ID (Encentuate user name) of the user. In a deployment with 
multiple Active Directory (AD) domains, the format of the user name should be 
of the form dnsDomain\sAMAccountName (e.g., "encentuate.com\user- 
name"). 

authld 

The authentication service ID of the user account to be set. 
accountType 

The type of account to be set: "Password", "OTP", "MAC", or "Certificate". 
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username 

The application user name of the user account to be set. 
password 

The password in Base64, encrypted by the user's provisioning encryption cer¬ 
tificate in an XML snippet of the following form: 


<password 

transformation="RSA/None/PKCSlPadding/2048/ProvisionKeypair"> 

QtOpkLOeWD+7vMPLUIVYHJFHijY+2ggvmlC26raOXMZBURrbQRbgvXeI4SA5tuh 

7EuBkLJWjC/fhivpBqmz2NmlersSUFZ4IQxYeOEXDtxBmkSF149I/ 

eieUVzhVcyvrzkP276FPX4Y01Miz/S4fq9o4Xs7Wlr33Nu2tKSCVwvNWZlR2/ 

DtRTxmHI5ibOROVs3ie7 rdGpG7 5xY6lgwwMUCFeF7VoFZTlT07AXA7 yTlAbOiE 6 

OiYHxhl2VTASNPo8SegGlvZqjrxrzIUbilDloV620C6RhV7D741iXykhZmmxBH/ 

UWvaK3GlIlxE/Cva39hIE01Uw8mlSPNilgLqLKw== 


</password> 



The password should be encoded in UTF-16LE encoding before it is encrypted. 
After encryption, the byte stream should be in Little-Endian order before conver¬ 
sion into Base64 encoding. 


Return Value: 

Returns resultCode. 

Remarks: 

Before using this operation, the user's provisioning certificate should already be 
obtained through the getProvisioningCert operation. 

Provisioning API setup and 
maintenance 


To provision a new user (Provisioning API): 

O The provisioning system provides the Encentuate user name and initial Encen- 
tuate password to the IMS Server, which in turn will provision the Encentuate 
user on the IMS Server. 

0 The user's Wallet will also be initialized on the IMS Server at this time so that 
application account credentials can then be added to the Wallet. 



Encentuate user accounts should be created before other application accounts. 
Application account credentials cannot be added to the user's Wallet before the 
user is provisioned on the IMS Server. 
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© The users log on with their Encentuate user names and initial Encentuate pass¬ 
words when they use AccessAgent for the first time. They will be prompted to 
change the initial password and the Wallet containing the provisioned account 
credentials will be downloaded from the IMS Server. 

To add an application account (Provisioning API): 

O The provisioning system provides the Encentuate user name and application 
credentials to the IMS Server, which in turn will add the application and other 
credentials to the user's Wallet. 

© The next time the user logs on to AccessAgent, the AccessAgent will have the 
necessary credentials in the Wallet to automate sign-on to the new application. 
Applications can therefore be added without having to inform users of the new 
credentials. Users just need to sign-on to AccessAgent. 

To reset an application password (Provisioning API): 

© The provisioning system provides the Encentuate user name and the new 
application password to the IMS Server, which in turn updates the application 
password in the user's Wallet. 

© The next time the user logs on to AccessAgent, the AccessAgent will have the 
updated application passwords in the Wallet to automate sign-on to the appli¬ 
cations. Administrators can reset application passwords directly notifying each 
user. Users just need to sign-on to Encentuate to log on to the application. 

To delete an application account (Provisioning API): 

© The provisioning system provides the Encentuate user name and the applica¬ 
tion account name to the IMS Server, which in turn deletes the application 
account from the user's Wallet. 

© The next time the user logs on to AccessAgent, AccessAgent will no longer have 
access to the deleted application's credentials in the Wallets, and cannot sign- 
on to the application on the users' behalf. Applications can be removed cen¬ 
trally and all access can be terminated automatically. 

To de-provision users (Provisioning API): 

© The provisioning system provides the Encentuate user name to be de-provi- 
sioned to the IMS Server, which will revoke the Encentuate user. The revocation 
of the Encentuate user will invalidate both the user's accounts and the user's 
Wallet on the server. 

© If the user attempts to log on using AccessAgent, the log on will fail and Wal¬ 
lets that have been cached locally by AccessAgent will be revoked. 


Provisioning API setup and maintenance 


45 



6 


Encentuate Provisioning API 



IBM Tivoli Integration 


The integration of Encentuate 1AM with IBM Tivoli Identity Manager provides an 
immediate solution. As ITIM provides identity lifecycle management, Encentuate 
provides the real-time enforcement of strong identities by simplifying, 
strengthening, and tracking access to all applications. 

This chapter details setup and configuration steps required for the integration of 
the IBM Tivoli Identity Manager (ITIM) provisioning system with the Encentuate 1AM 
access security solution. An integrated workflow and the benefits of an integrated 
provisioning and access security solution is also discussed in this section. It is 
assumed that both ITIM and IMS Server have been installed. 

This chapter covers the following topics: 

■ About IBM Tivoli integration 

■ Minimum requirements 

■ Using the integration package 

■ Configuring the IBM Tivoli Directory Integrator (IDI) 

■ Configuring the IBM Tivoli Identity Manager 

■ Provisioning setup and maintenance 

■ Configuring ITAM 

About IBM Tivoli integration 

Encentuate 1AM integrates with both Tivoli Access Manager (ITAM) and Tivoli 
Identity Manager (ITIM) to provide a complete identity and access management 
solution. 

While ITIM provides the identity lifecycle management for application users, 
Encentuate 1AM provides real time implementation of access security policies for 
users and applications. 











The integrated solution delivers seamless identity and access management that 
provides application account provisioning, a centralized view of all application 
accounts, sign-on/sign-off automation, authentication management, user-centric 
audit logs and reporting, and centralized de-provisioning of all accounts. 

Encentuate 1AM is already integrated with HIM, making it possible for users created 
in HIM to be automatically provisioned in 1AM. Application accounts that are 
provisioned using HIM are also automatically populated in the corresponding 
users' Encentuate Wallets. 

The workflow of the provisioning process is illustrated in the following diagram: 





Encentuate integration overview (IBM Tivoli) 


The IBM Tivoli Identity Manager needs to communicate with the IMS Server to 
populate and manage credentials in the Wallet. The Encentuate IMS Bridge and 
the Encentuate Workflow Extension are the interface engines that act as 
intermediaries between the IMS Server and the IBM Tivoli Identity Manager. 

ITIM will connect to the IMS Server via the Encentuate Workflow Extension to add 
account credentials to users' Wallets. To perform tasks such as create an IMS user, 
delete an IMS user, and search for IMS users, separate assembly lines will be 
configured on the IBM Tivoli Directory Integrator (IDI). The assembly lines will be 
activated by an event handler configured for an IMS naming context. 

Once the workflow extension has been added to ITIM, and the assembly lines and 
event handler configured on IDI, all application accounts provisioned through IBM 
Tivoli Identity Manager will be single sign-on enabled. 
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When an administrator creates a user in HIM along with the ITAM account, a 
corresponding account is also provisioned in 1AM. The user's ITAM logon 
credentials are automatically populated in the Encentuate Wallet. 

The user would just need to log on to the Wallet by presenting one or more 
authentication factors to AccessAgent, which will then perform automatic sign-on 
to enterprise applications, including ITAM. Note that the authentication factors can 
include hardware authentication factors, such as USB token or RFID card. 


Communications between ITIM, ITAM, IMS 
Server, and AccessAgent 



Communication process between ITIM, ITAM, IMS Server, and AccessAgent 


O When ITIM provisions a new user, it raises an event via DSML to the IBM Tivoli 
Directory Integrator (IDI). The user-addition assembly line in IDI communicates 
with the IMS Bridge to create the new IMS user. 

e The Encentuate Workflow Extension is inserted into the workflow of each appli¬ 
cation's creation workflow, including ITAM. When ITIM provisions a new ITAM 
account for the user, the Encentuate Workflow Extension is invoked and passes 
the ITAM account data to the IMS Server using SOAP over HTTPS, which in turn 
populates the user's Wallet with the new ITAM account data. 

© The user logs on to the Wallet by presenting one or more authentication fac¬ 
tors to AccessAgent, which will then obtain the Wallet, containing the new 
ITAM account data, from the IMS Server. 

O AccessAgent performs sign-on automation for all types of applications: enter¬ 
prise, personal, certificate-enabled, and any Windows user accounts. AccessA¬ 
gent auto-fills appropriate user credentials when an application is launched 
and logs the user onto the application. 
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When an application integrated with ITAM is launched, AccessAgent auto-fills 
the ITAM user name and password in the ITAM basic authentication logon 
prompt. The user does not need to know the ITAM user name and password. 

© When ITIM de-provisions a user, it raises an event via DSML to IDI. The user- 
deletion assembly line in IDI communicates with the IMS Bridge to delete the 
user. 

Q The deleted user can no longer log on to AccessAgent to perform sign-on 
automation. 


Communications between the ITIM and the IMS 
Server 



Encentuate AccessAgent 


Encentuate Wallet 
(Passwords, Credentials, Policies) 




H 






Communication process between ITIM and IMS Bridge 


The following are the possible communication processes between the IMS Bridge 

and the IMS Server using Simple Object Access Protocol (SOAP) over HTTPS: 

O When ITIM provisions new users, it raises an event via DSML to the IBM Tivoli 
Directory Integrator (IDI). The user-addition assembly line in IDI communicates 
with the IMS Bridge using Javascript to create IMS users. 

© The Encentuate Workflow Extension is inserted into the workflow of each appli¬ 
cation's creation workflow. When ITIM provisions new accounts for on applica¬ 
tion for users, the Encentuate Workflow Extension is invoked and passes the 
users' account data to the IMS Server using SOAP over HTTPS, which in turn 
populates the users' Wallets with the new account data. 

© The Encentuate Workflow Extension is inserted into the workflow of each appli¬ 
cation's password-reset workflow. In the event of a password reset for users, 
the Encentuate Workflow Extension is invoked and passes the new password 
information to the IMS Server which updates the credentials in the users' Wal¬ 
lets. 
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O When HIM de-provisions users, it raises an event via DSML to IDI. The user- 
deletion assembly line in IDI communicates with the IMS Bridge using Javas¬ 
cript to delete the users. 

© The Encentuate Workflow Extension is inserted into the workflow of each appli¬ 
cation's deletion workflow. When ITIM de-provisions an enterprise application 
account, the Encentuate Workflow Extension is invoked and sends the com¬ 
mand to the IMS Server, which in turn deletes the application record from the 
users' Wallets. 

o When users log on to Encentuate's client software, AccessAgent, the software 
downloads the users' Wallets from the IMS Server and subsequently performs 
sign-on automation for all types of applications: enterprise, personal, certifi¬ 
cate-enabled, and any Windows user accounts. The AccessAgent will: 

• Auto-fill users' credentials into the appropriate application. 

• Log the users into the application. 

AccessAgent also detects any password change and synchronizes the Wallets 
on the users' personal computers with the Wallets stored in the IMS Server. 

Minimum requirements 

ITIM 

■ IBM Tivoli Identity Manager: 4.5.1 and 4.6 

■ Encentuate IMS Server: 3.0.0.0 and above 

■ Encentuate AccessAgent: 3.0.3.4 and above 


ITAM 

■ IBM Tivoli Access Manager: 5.1 and above 

■ Encentuate IMS Server: 3.0.0.0 and above 

■ Encentuate AccessAgent: 3.0.3.4 and above 

■ Encentuate AccessStudio: 3.0.1.2 and above 


Minimum requirements 


51 



Using the integration package 

The HIM integration package contains the following folders: 

■ provisioningbridge [Encentuate provisioning bridge] 

• bin 

• config [configuration files] 

• docs [documentation and notes] 

• lib [Java libraries] 

commons-launcher [Java libraries for commons-launcher] 
license [license text files] 

■ wfe [Encentuate workflow extensions] 

• config [configuration files] 

ImsService [HIM configuration files for ImsService account] 

• docs [documentation and notes] 

• lib [Java libraries] 

Use the integration package for the correct HIM version. 

To begin, put these folders and files (preserving the folder structure) into a desired 
folder on the ITIM server (e.g., "C:\Encentuate"). 

Be sure to complete the steps in Configuring The IMS Server . 

Configuring the IBM Tivoli Directory 
Integrator (IDI) 

IDI configuration is an automated process, facilitated by placing files required by 
the IMS Bridge in the corresponding folder(s) and restarting the IDI. 

To configure the IBM Tivoli Directory Integrator: 

O Place all associated JAR files from C:\Encentuate\provisioningbridge\lib into 
the <IDI_INSTALL_DIR>\jars\provisionagent directory, except for bcprov.jar. 

0 Place bcprov.jar in <IDI_INSTALL_DIR>\jvm\jre\lib\ext folder. 


52 


IBM Tivoli Integration 



© Create a keystore that contains the IMS Server's SSL certificates as trusted cer¬ 
tificate entries. You can use Internet Explorer to download the IMS Server's SSL 
certificate into the Windows certificate store by visiting https://imsserver/ where 
imsserver is the IMS Server's hostname, and then click the SSL lock icon to view 
certificate. 

Click the Details tab and proceed to Copy to File using the Base-64 encoded 
X.509 (.CER) format. Use the keytool.exe bundled with IBM JDK, which is dis¬ 
tributed with WebSphere Application Server, to import the IMS Server certifi¬ 
cate. keytool.exe can be found in the <JAVA_HOME>\jre\bin directory. 

For more information on the keytool utility, see Kevtool . 

© Edit <IDI_INSTALL_DIR>/global.properties to specify truststore and keystore 
information. In the current release, only jks-type is supported. 

# Keystore file information for the server authentication. 

# It is used to verify the server's public key. 

# example 

javax.net.ssl.truststore=C:\Encentuate\provisioningbridge\confi 
g\truststore.jks 

javax.net.ssl.truststorePassword=password 
javax.net.ssl.truststoreType=jks 


# Keystore file information for the client authentication. 

# It is used to provide the public key of the IBM Tivoli 
Directory Integrator 

to the server if the server requests the client 
authentication. 

# example 

javax.net.ssl.keyStore=C:\Encentuate\provisioningbridge\config\ 
truststore.jks 

javax.net.ssl.keyStorePassword=password 
javax.net.ssl.keyStoreType=jks 

If these keys are not configured yet, you can set both truststore and keystore to 
the same one that contains the IMS Server certificate. Otherwise, you need to 
import the IMS Server certificate to the truststore specified in javax.net.ssl.trust- 
Store. 


Configuring the IBM Tivoli Directory Integrator (IDI) 


53 




o Launch IDI and open the IMS Bridge configuration file located in C:\Encentu- 
ate\wfe\config\imsprovisioning.xml. If there are no plans to protect the com¬ 
munications between HIM and IDI with SSL, clear the Use SSL checkbox. If SSL 
will be used, the SSL certificate of the HIM server must be generated and 
trusted by IDI, and vice-versa. 


a iMjaBinra Jii*i 


File Object Store Window Tools Help 



Saved D:'JBM'lBMDirectory1ntegratonimsprovisioning.xml at 6:13 PM 


_)4W>| Quit... | E3 Ja... | Ejg2M-| ~)2I.<6, Go,.. | ea<3:... | |® IB... IM... | gfl! / ® ? |« ■ V 7:24PM 


IDI Configuration Editor 


G Click ExternalProperties >> Default in the left panel. The provisioning bridge 
running in IDI needs to authenticate with IMS Server to demonstrate its authen¬ 
ticity. The authentication mechanism used is password-based logon on an SSL 
channel. The logon credential should be specified in an encrypted Java prop¬ 
erties file created via this IDI ExternalProperties function. 

Create a new ims.properties file. Mark the Encrypted External Properties 
checkbox and choose a password for the file. You can specify the cipher, 
depending on its availability in IDI. Refer to the IDI documentation on the 
available ciphers. 
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IDI ExternalProperties 


o Click the Editor tab to edit the external properties file. 



IDI ExternalProperties Editor 


O Click the Play button (see IDI Configuration Editor) to run IDI Server with the 
IMS Bridge configuration. 
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Configuring the IBM Tivoli Identity 
Manager 

To configure HIM, you need to define and add a data model to the HIM data 
store, then configure HIM for management of the newly-defined account type. 

The following sections describe the step-by-step ITIM configuration process. 

Setting up the initial environment 

To set up the initial environment: 

O Copy encwfe.properties from the C:\Encentuate\wfe\config directory to 

<ITIM_INSTALL_DIR>\data directory. The configurations must be correct for a 
particular deployment. 

0 Open the Properties.properties file in the same directory and add one entry to 
point to encwfe.properties. 

# Provisioning bridge credential 

enc.workflowextension=encwfe.properties 

Configuring the provisioning bridge 

To configure the provisioning bridge: 

O Open provisioningBridge.xml in C:\Encentuate\provisioningbridge\config 
directory and make the appropriate changes to suit the local environment. 
Refer to C:\Encentuate\provisioningbridge\docs\ConfigurationGuide.txt for 

details. 

0 The provisioningbridge.authenticationService.mapping configuration key of 
provisioningBridge.xml maps Distinguished Names of registered ITIM services 
to IMS authentication services. 

To see the Distinguished Names of all registered ITIM services, use any LDAP- 
compatible browser to log on to ITIM back-end data store. 

You can find all services in ou = services. In the example shown, the Distin¬ 
guished Name of the ITIM service is erglo- 

balid=00000000000000000002,ou=services,erglobalid=0000000000000 
0000000,ou=OFN,dc=ITIM. 
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Identifying ITIM services using LDAP browser 


Q Copy encwfe.jar and iog4j-l .2.9.jar from C:\Encentuate\wfe\lib directory to 
the <WEBSPHERE_HOME>\AppS- 

erver\insta!ledApps\<SERVER_NAME>\enRole.ear\app_web.war\WEB- 
INF\lib directory. If there is no directory, create a new one. 

Defining a data model 

The files in the directory C:\Encentuate\wfe\config\lmsService define a data 
representation for an ImsService account on ITIM. 

The following files are included: 

■ schema.dsml defines the directory syntax for the account and service classes. 

■ resource.def is the resource definition for the creation of a service profile. 

■ CustomLabels.properties defines labels for the forms displayed in the user 
interface. 

■ imsaccount.xml represents account entries associated with the service of type 
imsservice. 

■ imsservice.xml represents a service in ITIM to manage Encentuate IMS 
accounts. 

The schema.dsml file contains the definitions of IMS attributes and object classes 
for the account, service, and a group object in DSML format. 
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These are described in the following table: 


Entity Type 

Object Class 

Description 

Service 

imsservice 

This represents a service in ITIM to man¬ 
age Encentuate IMS accounts. 

Account 

imsaccounts 

This represents account entries associated 
with the service of type imsservice. 


Entities defined for data model 


The attributes associated with the service are described in the following table. The 
labels are given in CustomLabels.properties. 


Attribute Name 

Label 

Required 

Description 

erservicename 

Service Name 

Yes 

The name of the service to 
display on the ITIM user inter¬ 
face. 

erurl 

URL 

Yes 

The URL that IDI is listening 
on. 

eruid 

User ID 

Yes 

The principal used for 
authentication of ITIM by IDI. 

erpassword 

Password 

Yes 

The password used for 
authentication of ITIM by IDI. 


Definition of IMS service attributes 


The attributes associated with the account are described in the following table: 


Attribute Name 

Label 

Required 

Description 

eruid 

User ID 

Yes 

The ID used to identify the 
account users. 

erpassword 

Password 

Yes 

The password that the 
managed resource uses for 
authenticating its users. 


Definition of IMS account attributes 


The service and accounts profiles are defined in the resource definition file, 
resource.def. This file also contains an attribute for the factory for handling the 
protocol, as well as a list of service properties to send with requests. 

To load the data definitions into ITIM: 

O Copy the directory C:\Encentuate\wfe\config\lmsService and its contents to 
the location <ITIM_INSTALL_DIR>\data\remote_resources. 

0 Bring up a command line interface and change directories to the 

<ITIM_INSTALL_DIR>\bin\win. 
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© Execute the command config_remote_services -profile ImsService. 

© Restart the HIM server through the WebSphere Administrative Console. HIM 
should be listed as enRole in WebSphere. 



Restarting HIM server from WebSphere Administrative Console 


Use the directory administration console to verify if the IMS schema has been 
imported successfully. Any errors will appear in the HIM log and the directory 
log (for schema import problems). 



Use the same steps in this procedure for a UNIX platform. 


Configuring the IMS Service in ITIM 

To configure the IMS Service in ITIM: 

O Go to Provisioning >> Service Management. 

0 Add a new service of type ImsService. 
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© Add the following values for the IMS service parameters. 


Parameter 

Value 

Explanation 

Service Name 

ImsService 

A value to display on the HIM user 
interface. 

URL 

http://l oca 1 host: 8800 

This is needed to locate IDI. 

User ID 

agent 

The principal used for HIM to authenti¬ 
cate to IDI. 

Password 

smartway 

The password used for ITIMto authenti¬ 
cate to IDI. 

Naming 

Context 

dc=ims 

Used to relate requests to the correct 
context within IDI. 

Category 

Account 

Type of entity for use with ITIM data 
services APIs. This is the appropriate 
value for account management. 


IMS service parameters 


Refer to the sample screenshot of the service form. 


Add | Modify Service 

Service Name 

URL 

User Id 

Password 

Naming Context 

Category 

Name Attribute 


Encentuate IMS 


http://idi.encentuate.com 


agent 


dc=ims,dc=encentuate 1 dc=com 


Account| 


j Search | 


Service Prerequisite 


Search | 


Submit I | Res et j Test | j Cancel 


Custom service instance detail form 


Make sure the connection test passes before proceeding with the remaining 
portions of this guide. 

© Create a new provisioning policy for the new service by going to Provisioning 
>> Define Provisioning Policies. 
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PROVISIONING 


SEARCH I REPORT I CONFIGURATION 



User ID:ITIM Manager 


i Here: Provisioning > Open Financial Network > Provisioning Policies > Provisioning policy for Encentuate IMS Service (automatic) 


entity Manager Home 

Open Financial Network 


|^| x] Complete all tabs and submit. 


GENERAL MEMBERSHIP ENTITLEMENTS 


Policy Name 
Caption 

Service Resolution Scope 


* [Provisioning policy for Encentuate IMS Service (automatic 

I 


C Single (• SubTree 


Provisioning policy for Encentuate IMS 3 

Service (automatic) 


J 


Status 

Priority (integer greater than 0) 
Keywords 


(• Enabled Disabled 


Create a provisioning policy 


liT* 


© Specify the Membership for this policy. 



User ID:ITIM Manage 


Are Here: Provisioning > Open Financial Network > Provisioning Policies > Provisioning policy for Encentuate IMS Service (automatic) 


- .C] x| Add a new Organizational Role or select an existing Organizational Role to remove. 

’'Identity Manager Home 

Kfi Open Financial Network general Membership entitlements 


Name 


Type 

Encentuate Employees 


Organizational Role 


[Mi 

[^3 


I**"*"" 1 !*■*—1 

Save as Orafl | Canoel I 


il j_I aT 1 

Defining membership for a provisioning policy 


© Specify the Entitlements for this policy. You can set the accounts to be created 
automatically once an IMS service account is created. 
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IT 


PROVISIONING 


SEARCH I REPORT I CONFIGURATION 



User ID:ITIM Man 


You Are Here: Provisioning > Open Financial Network > Provisioning Policies > Provisioning policy for Encentuate IMS Service (automatic) 


|jT| Xl a new Entitlement or select an existing Entitlement to modify or delete. 


♦ “i'Ide ntity Manager Home 
dtji Qpen Financial Network 


GENERAL MEMBERSHIP ENTITLEMENTS 


ITIM Service 


Type 

Automatic 

Workflow 

No Workflow 

TAM Service 


Manual 

No Workflow 

Encentuate IMS Service 


Automatic 

No Workflow 

WinLocal Service 


Manual 

No Workflow 


[Add] 




| Continue j | Preview | 

Sava as Draft Cancel | 



Defining entitlements for a provisioning policy 


JL 


Configuring Encentuate workflow 
extensions 


This section describes the steps to adding custom workflow extensions to be used 
as workflow objects within the IBM Tivoli Identity Manager. 

Adding a workflow extension 

Edit the workflowextensions.xml file under <ITIM_INSTALL_DIR>\data directory to 
add a workflow extension. Add the following workflow extension: 

<ACTIVITY ACTIVITYID="encAddAccount" LIMIT="600000"> 

<IMPLEMENTATION_TYPE> 

APPLICATION 

CLASS_NAME="encentuate.bridges.wfe.EncentuateCltAppExtension" 
METHOD_NAME="encAddAccount"/> 

</IMPLEMENTATION_TYPE> 

<PARAMETERS> 

<IN_PARAMETERS PARAM_ID="owner" RELEVANT_DATA_ID="owner" 
TYPE="Person"/> 

<IN_PARAMETERS PARAM_ID="service" 

RELEVANT_DATA_ID="service" TYPE="Service"/> 

<IN_PARAMETERS PARAM_ID="account" 

RELEVANT DATA ID="account" TYPE="Account"/> 
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</PARAMETERS> 


</ACTIVITY> 

<ACTIVITY ACTIVITYID="encChangePassword" LIMIT="600000"> 
<IMPLEMENTATION_TYPE> 

APPLICATION 

CLASS_NAME="encentuate.bridges.wfe.EncentuateCltAppExtension" 
METHOD_NAME="encChangePassword"/> 

</IMPLEMENTATION_TYPE> 

<PARAMETERS> 

<IN_PARAMETERS PARAM_ID="account" RELEVANT_DATA_ID="Entity" 
TYPE="Account"/> 

</PARAMETERS> 

</ACTIVITY> 

ACTIVITY ACTIVITYID="encDeleteAccount" LIMIT="600000"> 
<IMPLEMENTATION_TYPE> 

APPLICATION 

CLASS_NAME="encentuate.bridges.wfe.EncentuateCltAppExtension" 
METHOD_NAME="encDeleteAccount"/> 

</IMPLEMENTATION_TYPE> 

<PARAMETERS> 

<IN_PARAMETERS PARAM_ID="account" RELEVANT_DATA_ID="Entity" 
TYPE="Account"/> 

</PARAMETERS> 

</ACTIVITY> 

ACTIVITY ACTIVITYID="hasImsAccount" LIMIT="600000"> 
<IMPLEMENTATION_TYPE> 

APPLICATION 

CLASS_NAME="encentuate.bridges.wfe.EncentuateCltAppExtension" 
METHOD_NAME="hasImsAccount"/> 

</IMPLEMENTATION_TYPE> 

<PARAMETERS> 

<IN_PARAMETERS PARAM_ID="owner" RELEVANT_DATA_ID="owner" 
TYPE="Person"/> 
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<OUT_PARAMETERS PARAM_ID="skipFlag" 
RELEVANT_DATA_ID="skipFlag" TYPE="String"/> 

</PARAMETERS> 

</ACTIVITY> 


Defining workflows with extensions 

To define workflow extensions, make sure that HIM is running. 

To define workflow extensions: 

O Log on to HIM. 

0 Select Configuration >> Entity Type. 


3 IBM Tivoli Identity Manager - Microsoft Internet Explorer 


File Edit View Favorites loots Help 

Back ’ JD Search '-'.'Favorites 




Address |^J http://vmware01/enrole/main.jsp 


Google - 


v Search Web * (Gjb 0 blocked 0 Options 


v Go Links : 


Identity Manager 

Version 4.5 


ORGANIZATION I PROVISIONING I SEARCH I REPORT 


CONFIGURATION 



User ID: itim manager 


You Are Here: Configuration > Entity Type 


Define operations for selected entity type. 

SERVICE TYPES USER INTERFACE CUSTOMIZATION ADMINISTRATORS ENTITY TYPE ENTITIES PROPERTIES POLICY CHALLENGE RESPONSE 


Entity Type 

Account 


© 1999-2003 IBM. ALL RIGHTS RESERVED. 


Done 


yj Local intranet 


Configure entity type 


o Select Account as Entity Type and click Define Operations. 
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3 IBM Tivoli Identity Manager - Microsoft Internet Explorer 


File Edit View Favorites Tools Help 

©=«ck ' Q l*] i»| fj •© | ^ @ ’ U H it 

Address |j^| http://vmware01/enrole/operations.]sp _ 

Google- 


v Q Go Links 1 


^ Search Web - ^ ^ 0 blocked Options J 


Identity Manager 


ORGANIZATION I PROVISIONING I SEARCH I REPORT 


CONFIGURATION 



User ID: itim manager 


You Are Here: Configuration > Entity Type > Account > Define Operations 


System-defined operations cannot be deleted. Click o 


n operation link to define workfloi 


SERVICE TYPES USER INTERFACE CUSTOMIZATION ADMINISTRATORS ENTITY TYPE ENTITIES 

PROPERTIES POLICY CHALLENGE RESPONSE 

New Operation:| 

AddJ 





□ add 

system-defined 

entity type 

I |changePassword 

system-defined 

entity type 

n delete 

system-defined 

entity type 

□ modify 

system-defined 

entity type 

Q restore 

system-defined 

entity type 

QJ suspend 

system-defined 

entity type 

1 0<H«. 1 1 P°"« 1 


£) 


Local intranet 


Define operations for Account 


O Click Add. The operation diagram is displayed. Provide the same changes 
shown in the following screenshot. 



Define add account operation 
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0 Remove the transition from CREATEACCOUNT to End. 


o Add a new extension node between CREATEACCOUNT to End. 


o Double-click on the new Extension node. A pop-up window displays all the 
extensions registered using workflowextensions.xml. 



Define ENCADDACCOUNT 


O Select the Extension Name as encAddAccount and fill in the Activity ID with 
ENCADDACCOUNT. 

Q Click Ok and attach the transitions to the newly-added extension. 

© Click Save. 

© Repeat the above for changePassword and delete operations. 

© Define ImsAccount operations by going to Configuration >> Entities >> 
ImsAccount. 
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Define ImsAccount operations 


© To prevent the creation of more than one ImsAccount for a Person in HIM, 
open add workflow of ImsAccount and insert the extension hasImsAccount to 
ensure only one IMS account is created for every Person in HIM. Use OR for 
Split Type. 



Define HASIMSACCOUNT extension 
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© The final workflow will look something like this, after createAccount is added 
too: 



Workflow for add ImsAccount 


© Click Properties and Add to create a new skipFlag property to determine the 
workflow path: 



Define skipFlag 
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ej xj 

Operation Type Static C Non Static 


Input Parameters Add | Modify | Delete | 



Ok | Cancel | 


| Java Applet Window 


Properties list after skipFlag is added 


© Double-click on the transition connecting HASIMSACCOUNT to End and key 
in the JavaScript condition skipFlag.get() == "true"; 



Checking for skipFlag == true 


© Double-click on the transition connecting HASIMSACCOUNT to CREATEAC- 
COUNT and key in the JavaScript condition skipFlag.get() == "false"; 
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Checking for skipFlag == false 


© Ensure that the Join Type is OR for the End node. 



Properties for End node 


© To disable password change for ImsAccount, open changePassword workflow 
of ImsAccount and remove the default extension for password change. Add a 
new extension NOPASSWORDCHANGE with the following JavaScript: 

WorkflowRuntimeContext.setProcessResult(activity.FAILED); 

WorkflowRuntimeContext.setProcessResultDetail("Password change 
not allowed for IMS account."); 
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Define passwordChange workflow 



JavaScript for NOPASSWORDCHANGE 

© Click Save. 

Setting service prerequisites 

As a prerequisite, all application services in HIM can only be provisioned after user 
accounts are provisioned in IMS Server. Otherwise, sign-on automation will not 
work. 
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To set a service prerequisite: 

O In HIM, select Provisioning >> [Organization Name] >> Service Management 
>> Services List. 


H IBM Tivoli Identity Manager - Microsoft Internet Explorer 


File Edit View Favorites loots Help 

0 Back ■ (*] jS] /ts.ard. Favorites e 


yu -a 


Address |,g] http://vmware01/enrole/my_orgtree 

Google^ | 


v g*. Search Web * «» @ 0 blocked "Q • Options f 


v H Go Links ’ 


Identity Manager 

Version 4.5 


PROVISIONING 


SEARCH I REPORT I CONFIGURATION 



You Are Here: Provisioning > Encentuate > Service Management > Services List 


xjAdd | Modify | Delete Service(s) 


► ‘•t'ldentity Manager Horn 
+ Ilf - Encentuate 



I Add | | Ddole | 



Service Name tl 

Service Type 

□ AD Service 

ADprofile 

1 Q AD Service Proxy 

Hosted Service (ADprofile) 

□ DSML2 Test 

DSML2 Test Service 

□ Encentuate IMS 

ImsService 

l~~l ITIM Service 

ITIM 

□ SQL2K Service 

SQL2000Profile 


j Local intranet 


Setting service prerequisite by selecting each service 


o Mark the checkbox of the service. For example: SQL2K Service. 
Q Click Modify. 
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3 IBM Tivoli Identity Manager - Microsoft Internet Explorer 


File Edit View Favorites Tools Help 

©Back - Q 0 jS] fj ^Psaardi ’fof, 


€> &• 


y %. -a 


Address |http: //vmware01/enrole/service_submenu 

Google- | 


- & Search Web - ^ 0 blocked ^ Options 


Identity Manager 

Version 4.5 


PROVISIONING 


SEARCH I REPORT I CONFIGURATION 


You Are Here: Provisioning > Encentuate > Service Management > Service Submenu 



x] Select an option 


^ “i'Identity Manager Horn 
♦ ^Encentuate 


SQL2K Service Menu 



► Detailed Information 

► Reconciliation 

► Accounts 

► Orphan Accounts 

► Policy Enforcement 

Back to list of services 



v 13 Go Links 3 





kj Local intranet 


Setting service prerequisite for a particular service 


O In the Service Submenu, click Detailed Information. 


A Tivoli Identity Manager - Microsoft Internet Explorer 


File Edit View Favorites Tools Help 

©Back • © 0 111 ft P = 

Address | .g) http: //vmwareO 1 /enrole/formviewer 




€> e 


yatt 


^ Search Web - ^ ^ 0 blocked 'ft] A' 


Options £ 


PROVISIONING 


SEARCH I REPORT I CONFIGURATION 



You Are Here: Provisioning > Encentuate > Service Management > Modify Service 


► ‘^'Identity Manager Horn 
♦ life Encentuate 


Identity Policies 

lift 



|^| xjAdd | Modify Service 


Service Name 
URL 
User Id 
Password 


|SQL2K Setvice 
* |https://ice cap:45580 


sq!2kagent 


CA certificate store location * C:\itim45\cert 
Certificate file location 
Private key file location 


Service Prerequisite 


Encentuate IMS 


- Q: 


I 8ebmit | |B—1| | Tm I ICwortl 




> 


j Local intranet 



Set IMS Service as prerequisite 


o At the bottom of the Modify Service panel, click Search next to the Service Pre¬ 
requisite field and select: Encentuate IMS. 

G Click Submit. Repeat with other services as needed. 
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0 To create a Service Prerequisite field for ITI^A Service, 90 to ConfiQuration 
Form Customization and add a new $erprerequisite field for the ITIMService. 



Provisioning setup and maintenance 

To provision a new user (ITIM): 

O ITIM provides the IMS user names and initial passwords to IDI, which in turn 
will provision the IMS users through the IMS Bridge. The passwords can be 
randomly-generated, automatically-assigned to users' Employee IDs, or man¬ 
ually assigned through ITIM. 

0 IDI connects to the IMS Bridge to provision the IMS users using the IMS user 
name and password generated by ITIM. The users' Wallets will also be initial¬ 
ized on the IMS Server at this time such that account credentials can then be 
added to the Wallets. 



IMS user accounts should be created before other application accounts. Account 
credentials cannot be added to the user's Wallet before the users are provisioned 
on the IMS Server. 


o The users log on with their IMS user names and initial passwords when they 
use AccessAgent for the first time. They will be prompted to change the initial 
password and the Wallet containing the provisioned account credentials will 
be downloaded from the IMS Server. 

To add an application account (ITIM): 

O The ITIM Workflow Engine invokes the Encentuate Workflow Extension with the 
user names and the application credentials. 
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0 The Encentuate Workflow Extension connects to the IMS Server to add the 
application and credential information to the users' Wallets. 

o The next time users access AccessAgent, the AccessAgent will have the neces¬ 
sary credentials in the Wallet to automate sign-on to the new application. 
Applications can therefore be added without having to inform users of the new 
credentials. Users just need to sign-on to AccessAgent. 

To reset an application password (ITIM): 

O The ITIM Workflow Engine invokes the Encentuate Workflow Extension with the 
user names and the new application passwords. 

0 The Encentuate Workflow Extension connects to the IMS Server to update the 
application passwords in the users' Wallets. 

o The next time users log on to AccessAgent, the AccessAgent will have the 
updated application passwords in the Wallets to automate sign-on to the 
applications. Administrators can reset application passwords directly without 
notifying each user. Users just need to sign-on to Encentuate to log on to the 
application. 

To delete an application account (ITIM): 

O The ITIM Workflow Engine invokes the Encentuate Workflow Extension with the 
application accounts to delete. 

0 The Encentuate Workflow Extension connects to the IMS Server to delete the 
application accounts from the users' Wallets. 

0 The next time users access AccessAgent, AccessAgent will no longer have 

access to the deleted application's credentials in the Wallets, and cannot sign- 
on to the application on the users' behalf. Applications can be removed cen¬ 
trally and all access can be terminated automatically. 

To de-provision users (ITIM): 

O ITIM provides the IMS user ID of the users to be de-provisioned to IDI which 
will de-provision the users. 

0 IDI connects to the IMS Bridge and revokes the IMS users. The revocation of 
the IMS users will invalidate both the users' accounts and the users' Wallets on 
the server. 

O If the users attempt to log on using AccessAgent, the log on will fail and Wal¬ 
lets that have been cached locally by AccessAgent will be revoked. 
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Configuring ITAM 

Use the IBM Tivoli Access Manager to manage your AccessProfiles. This is an 
optional configuration for organizations that use ITIM with Encentuate 1AM for 
provisioning. 

Creating AccessProfiles for ITAM 

Refer to the configuration steps in this section to understand how to create an 
AccessProfile for ITAM. With this configuration, AccessAgent can recognize the 
ITAM basic authentication logon prompt, and auto-fill it with the user's ITAM user 
name and password. 

Before using AccessStudio, log on to AccessAgent as Administrator of 1AM. 

To create AccessProfiles for ITAM: 

O Launch AccessStudio. Click on File >> Import data from IMS to download the 
latest AccessProfiles from IMS Server. 



AccessStudio with data imported from IMS Server 


o Click on View >> Authentication Services to go to the authentication services 
view. In the left panel, right-click the authentication_services node and select 
Add Authentication Service. A new authentication service will be displayed in 
the right panel. 

© Enter dir_tam in the Id field, Tivoli Access Manager in the Display Name field, 
and Tivoli Access Manager in the Description field. Enter Access Manager for 
e-business to the Add server locator field. Click Add button and the "Access 
Manager for e-business" appears on the Server locators to be used during 
injection and capture field. 
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Create authentication service 


O In the left panel, right-click the node representing the new authentication ser¬ 
vice and select Upload to IMS. This will upload the newly-created authentica¬ 
tion service (dir_tam) to the IMS Server. 

© Click on View >> Applications to go to the applications view. In the left panel, 
right-click the applications node and select Add Application. A new application 
will be displayed in the right panel. 

o Enter app_iexplore in the Id field, Tivoli Access Manager in the Display Name 
field, and Tivoli Access Manager in the Description field. 



Create application 
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The term "iexplore" is used because the application that shows the IT AM basic 
authentication logon prompt is actually Internet Explorer. 


o In the left panel, right-click the node representing the new application and 
select Upload to IMS. This will upload the newly-created application 
(appjexplore) to the IMS Server. 

O Click on View >> AccessProfiles to go to the AccessProfiles view. In the left 
panel, right-click the accessjarofiles node and select Add AccessProfile. A new 
AccessProfile will be displayed in the right panel. 

An AccessProfile can now be created for the ITAM basic authentication logon 
prompt, which is displayed by the Internet Explorer application. It should make 
use of the ITAM authentication service (dir_tam) and ITAM application 
(appjexplore) created earlier. 

Refer to the Encentuate AccessStudio Guide for details. 

Q Alternatively, the sample AccessProfile for ITAM can be used. To upload this 
sample AccessProfile, click on the XML Editor tab to switch to the XML Editor 
view so that the sample AccessProfile can be pasted. 

Open the sample AccessProfile file (sso_site_wnd_iexplore.xml) in a text editor 
(e.g., Notepad) and copy all its contents. In the XML Editor, right-click any text 
in the editor and select Select All. Then, right-click any text in the editor again 
and select Paste. 

© In the left panel, right-click the node representing the new AccessProfile and 
select Upload to IMS. This will upload the newly-created authentication service 
(sso_site_wnd_iexplore) to the IMS Server. 

Configuring ITAM as an enterprise 
authentication service 


Refer to the configuration steps in this section to understand howto configure ITAM 
as an enterprise authentication service in the IMS Server. With this configuration, 
AccessAgent can manage ITAM as an enterprise authentication service. Audit logs 
are submitted to the IMS Server when users log on to ITAM. The AccessAdmin Web 
interface is used for configuring the IMS Server. 

Before using AccessAdmin, log on to AccessAgent as Administrator of 1AM. 

To configure ITAM as an enterprise authentication service: 

O Launch AccessAdmin (usually https://imsserver where imsserver is the IMS 
Server's hostname). 
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0 Click on Authentication service policies in the left panel. The current list of 
authentication services will be shown in the right panel. 

0 In the right panel, under Personal Authentication Services, look for Tivoli 

Access Manager. Mark the checkbox and click the Move to enterprise authenti¬ 
cation services button. 



Click Move to enterprise authentication services 


Tivoli Access Manager should now be moved to the list of enterprise authenti¬ 
cation services. 


OQ ENCENTUATE’ AccessAdmin 


doctor-bob 

Enterprise authentication services 


I - Authentication Service Authentication mode(s) 

Log off 

P AccessAssistant Password 

Setup assistant 

Search Users 

C America Online Password 

Search 

My users 

All administrators 

All helpdesks 

All revoked users 

MAC-only users 

User Policy Templates 

New template 

H Facebook Password 

H Google Password 

C Tivoli Access Manager Password 

P Yahoo Password 


ITAM as enterprise authentication service 
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M-Tech ID-Synch 


Encentuate 1AM and M-Tech ID-Synch integration provides an immediate solution: 
while ID-Synch provides identity lifecycle management, 1AM provides the real-time 
enforcement of strong identities by simplifying, strengthening, and tracking access 
to all applications. 

This chapter details setup and configuration steps required for the integration of 
the M-Tech ID-Synch provisioning system with the Encentuate 1AM access security 
solution. It is assumed that both ID-Synch and IMS Server have been installed. 

This chapter covers the following topics: 

■ About M-Tech ID-Svnch integration 

■ Minimum requirements 

■ Using the integration package 

■ Configuring certificate store for IMS Bridge 

■ Configuring the IMS Bridge 

■ Loading ID-Svnch-Encentuate provisioning agent 

■ Configuring the ID-Svnch Server 

■ Provisioning setup and maintenance 

About M-Tech ID-Synch integration 

M-Tech ID-Synch is an enterprise user provisioning (account provisioning) solution. 
The ID-Synch solution reduces the cost of user administration, helps new and 
reassigned users get to work quickly, and ensures prompt and reliable access 
termination. 

This is accomplished through automatic propagation of changes to user profiles 
from systems of record to managed systems, with self-service workflow for security 
change requests, through consolidated and delegated user administration, and 
with federation. ID-Synch can manage users on over 70 types of systems. 












Encentuate 1AM integrates with M-Tech ID-Synch to provide a complete identity 
and access management solution. 

While ID-Synch provides the identity lifecycle management for application users, 
Encentuate 1AM provides real-time implementation of access security policies for 
users and applications. 

The integrated solution delivers seamless identity and access management that 
provides application account provisioning, a centralized view of all application 
accounts, sign-on/sign-off automation, authentication management, user-centric 
audit logs and reporting, and centralized de-provisioning of all accounts. 

ID-Synch communicates with the IMS Server to populate and manage credentials 
in the Wallet. The Encentuate IMS Bridge and the ID-Synch-Encentuate 
provisioning agent are the interface engines that act as intermediaries between the 
IMS Server and ID-Synch. 

The workflow of the provisioning process is illustrated in the following diagram: 


M-Tech ID-Synch 


ID-Synch Agent 


Encentuate 
IMS Bridge 


SOAP 


Encentuate integration overview (M-Tech ID-Synch) 



ID-Synch connects to the IMS Server via the ID-Synch-Encentuate provisioning 
agent and the Encentuate IMS Bridge to create IMS users, add account credentials 
to users' Wallets, delete account credentials from users' Wallets, and delete IMS 
users. 

Once the ID-Synch-Encentuate provisioning agent has been loaded onto ID-Synch, 
all application accounts provisioned through ID-Synch will be single sign-on 
enabled. 

Communications between the IMS Bridge and the IMS Server are done using 
Simple Object Access Protocol (SOAP) over HTTPS. 

The following are the possible communication processes between ID-Synch and 
the IMS Server: 
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O When ID-Synch provisions new users, it raises an event to the ID-Synch-Encen- 
tuate provisioning agent, which communicates with the IMS Server through the 
IMS Bridge to create IMS users. 

e When ID-Synch de-provisions new users, it raises an event to the ID-Synch- 
Encentuate provisioning agent, which communicates with the IMS Server 
through the IMS Bridge to delete the IMS users. 

Q When users log on to Encentuate's client software, AccessAgent, the software 
downloads the users' Wallets from the IMS Server and subsequently performs 
sign-on automation for all types of applications: enterprise, personal, certifi¬ 
cate-enabled, and any Windows user accounts. The AccessAgent will: 

• Auto-fill users' credentials into the appropriate application. 

• Log the users into the application. 

AccessAgent also detects any password change and synchronizes the Wallets 
on users' personal computers with the Wallets stored in the IMS Server. 



Encentuate Wallet 
(Passwords, Credentials, Policies) 



Encentuate AccessAgent 


Sign-On 

Automation 



SSO platforms 


Applications: 

1. Windows 

2. Java 

3. Citrix-published 
Mainframe terminals 






Communication process between ID-Synch and IMS Bridge 


Minimum requirements 

■ M-Tech ID-Synch: 4.0 

■ Encentuate IMS Server: 3.0.0.0 and above 

■ Encentuate AccessAgent: 3.0.3.4 and above 


Minimum requirements 
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■ IMS Bridge should be deployed with JVM version 1.3.x or 1.4.x (both SUN and 
IBM JVM). 

■ For a deployment on JVM 1.3.x, two other libraries - JCE and JSSE - are pro¬ 
vided. You need to include JCE and JSSE implementation in the path for JVM 
by putting necessary JAR files in jre/lib/ext folder. 

Using the integration package 

The ID-Synch integration package contains the following folders: 

■ ProvisioningBridge [Encentuate provisioning bridge] 

• bin 

• config [configuration files] 

• docs [documentation and notes] 

api [Encentuate provisioning API documentation] 

• lib [Java libraries] 

license [license text files] 

■ agtencent [ID-Synch-Encentuate provisioning agent] 

To use the integration package: 

O Put the ProvisioningBridge folders and files (preserving folder structure) into 
any folder (e.g., C:\Encentuate) on the ID-Synch server. 

e Put the agtencent.exe and agtencent.jar files into the agent folder of the ID- 
Synch instance (e.g., C:\Program Files\P-Synch\<INSTANCE_NAME>\agent). 

Configuring certificate store for IMS 
Bridge 

The IMS Bridge communicates with the IMS Server using one-way SSL. This means 
that the IMS Bridge needs to trust the IMS SSL certificate. 

If you are deploying the IMS Bridge on an application server, where there is 
already one common trust store shared by different applications, you need to 
import the IMS SSL certificate into the key store as one trusted CA entry. 
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Alternatively, you need to create one key store using the Java key tool utility. Then, 
you need to configure the IMS Bridge to use the above trusted store. 

Be sure to complete the steps in Configuring The IMS Server . 

Configuring the IMS Bridge 

The IMS Bridge is packaged with a sample configuration file as below. 

<?xml version="l.0" encoding="UTF-8"?> 

<Config> 

<main> 

<ims .serverName> 

Cvalue xml:lang="en">ims.yourcompany.com</value> 

</ims.serverName> 

<ims.httpsPort> 

Cvalue xml:lang="en">443</value> 

</ims.httpsPort> 

Cims.httpPort> 

Cvalue xml:lang="en">80C/value> 

C/ims.httpPort> 

Cims.servicePath> 

Cvalue xml:lang="en">/ims/servicesC/value> 

C/ims.servicePath> 

Cprovisioningbridge.truststore> 

Cvalue xml:lang="en">test\config\test_keystoreC/value> 
C/provisioningbridge.truststore> 

Cprovisioningbridge.jvm.environment.initializer> 

Cvalue 

xml:lang="en">encentuate.bridges.provisioning.GenericJvmEnviron 
mentlnitializerc/value> 

C/provisioningbridge.jvm.environment.initializer> 
Cprovisioningbridge.truststorePassword> 
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<value xml:lang="en">password</value> 

</provisioningbridge.truststorePassword> 
<provisioningbridge.authenticationService.mapping> 

<value xml:lang="en">ActiveDirectory:dir_ad</value> 
<value xml:lang="en">LotusNotes:dir_notes</value> 
</provisioningbridge.authenticationService.mapping> 
</main> 

</Config> 

Refer to the following XML parameters. Some of the parameters are optional. 
ims.serverName 

The DNS name of the IMS Server. 
ims.httpsPort (Optional) 

The port IMS Server listens to for HTTPS request. The default is 443. 
ims.httpPort (Optional) 

The port IMS Server listens to for HTTP request. The default is 80. 
ims.servicePath (Optional) 

The root path of IMS services. The default is /ims/services/. Note that the value 
should start with /. 

provisioningbridge.trustStore (Mandatory for CLT only) 

The trust store used by IMS Bridge (Example: C:\path\to\truststore). This con¬ 
figuration does not take effect if there is already one system property set for 

javax.net.ssl.trustStore. 

provisioningbridge.trustStorePassword (Mandatory for CLT only) 

Password of the trust store used by IMS Bridge. This configuration does not 
take effect if there is already one system property set for javax.net.ssl.trust- 
StorePassword. 

provisioningbridge.password.encryption.algorithm (Optional) 

The algorithm that encrypts the provisioned application passwords. The default 
algorithm is RSA/NONE/PKCS1 Padding. 

provisioningbridge.password.encryption.transformation (Optional) 

The transformation ID that corresponds to the encryption algorithm. The 
default is RSA/NONE/PKCS1 Padding/2048/ProvisionKeypair. 

provisioningbridge.authenticationService.mapping (Optional) 

The mapping of application IDs on the host provisioning system to IMS 
Server's representation. The format of each value of this configuration key 
should follow the format: prov_system_app_ID:IMS_server_app_ID. 
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For example, you have configured an authentication service for Active Direc¬ 
tory in IMS Server called dir_encentuate.com. However, the internal represen¬ 
tation for the same authentication service in your provisioning system is 

ENCENTUATE. 

You will then need to include the following configuration key: 

<provisioningbridge.authenticationServi.ee.mapping> 

•Cvalue xml:lang="en">ENCENTUATE:dir_encentuate.com</value> 

</provisioningbridge.authenticationService.mapping> 

provisioningbridge.jvm.environment.initializer (Optional) 

Nome of one class that implements JvmEnvironmentlnitializer interface, which 
sets up the JVM environment such as JAVA system properties before IMS 
Bridge starts to run. The default is encentuate.bridges.provisioning.Generi- 
cEnvironmentlnitializer. 

Loading ID-Synch-Encentuate 
provisioning agent 

The ID-Synch-Encentuate provisioning agent must loaded onto the ID-Synch 
server. 

To load ID-Synch-Encentuate provisioning agent: 

O Update the CLASSPATH to include the agtencent.jar file if the CLASSPATH is 
set on the host machine. If not, this step can be skipped. 

e Import the ID-Synch-Encentuate provisioning agent into ID-Synch by running 
the loadplatform command-line utility found in the C:\Program Files\P- 
Synch\<INSTANCE_NAME>\util folder: loadplatform -a agtencent.exe 

Configuring the ID-Synch Server 

IDI configuration is an automated process, facilitated by placing files required by 
the IMS Bridge in the corresponding folder(s) and restarting the IDI. 

To configure the ID-Synch Server: 

O Log on to ID-Synch User Administration using Administrator login. 

e Create an ID-Synch target for the IMS Server by selecting System configuration 
>> Targets >> Target systems >> Add. 


Loading ID-Synch-Encentuate provisioning agent 
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Note that the Address of the server should be the name of the IMS Bridge con¬ 
figuration file (including path, e.g., C:\Encentuate\ProvisioningBridge\con- 
fig\provisioningBridge.xml). 

Clear the Run list utilities checkbox, as listing is not supported by the agent. 


< i Back ft i Home Q Refresh £| j Logout 






1 Workflow Inventory Web modules 

Security 

Maintenance 

Reports 

My password | 



ID: administrator 
Name: administrator 

Target systems 

Attributes 

Lock files 

Proxy servers 

Agent behavior 

Options 


Target information 


Target identifier: 

Target type: 

Target description: 

Target address( Help) : 

Login IDs are case-sensitive: 

Users must have accounts: 

Run list utilities: 

List attributes (if supported by system): 


* flMS 

* |Encentuate IMS Server 

* ^ncentuate IMS Server 

* |C:\Encentuate\Provisio 

r 

r 



r 




iT 


Create ID-Synch target for IMS Server 


o ID-Synch requires that a template user account exists when creating new user 
accounts. In order to proceed, a dummy account needs to exist. 

Create a file in the C:\Program Files\P-Synch\<INSTANCE_NAME>\psconfig 
folder called ims.lst (where "ims" is the name given to the ID-Synch target for 
the IMS Server). 

Add the following line of text to the file: "LONGID" "SHORTID" "FULLNAME" 

Add another line below it providing the dummy account information. For 
example: "template" "template" "Template Account" 

Save the file and close it. 

O Run psupdate from the command line or select Maintenance >> Update sys¬ 
tem > > Update now. 

0 Verify that the user is found by checking Maintenance >> User summary. 
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"3 


Please wait .. generating report 


{ j Back A ! Home Q; Refresh i Logout 


My password 


ID: administrator 
Name: administrator 

E-mail configuration 
Services 
Scheduler 
Update system 
User summary 


Send license report 

Environment 

variables 


User summary 


Server report for TESTMTECH at 5/18/2006 2:44 PM. 

There are 4 users in the database. 

Accounts per target are as followed: 


Target system 
Active Directory (ADSERVER1) 
<^Encentuate IMS Server (IMS£> 


Number of accounts 


<] 


Checking user summary 


G Set the template account for the IMS target by selecting Workflow >> Tem¬ 
plate accounts. 



Set template account for IMS target 

o Add the IMS authentication services (Wallet applications) as Request Attributes 
by selecting Workflow >> Request attributes >> Request attributes. 

The attribute ID should be the authentication service ID, and an appropriate 
description entered. 
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As IMS allows multiple application instances to exist in a Wallet (provided the 
user names are different), the Maximum allowed number of values should be 
set to the appropriate number. The information entered into the Description 
field (instead of the attribute ID) is displayed to users in ID-Synch. 


< Back ft ; Home Q j Refresh i Logout 





z 

Targets Inventory Web modules 

Security 

Maintenance 

Reports 

My password J 



Authorizers 
Locations 
Object types 
Template accounts 
Roles 

Request attributes 


Managed groups 
Request queue 
Network resources 
Plug-ins and mail 
Options 


±L 


| Request attributes Attribute priority j j Attribute logic | 


Request attribute information 


ID: 

Description: 

Type: 

Minimum required number of values (0=optional): 
Maximum allowed number of values(-l=infinite): 
Allow duplicate values: 

Allow this attribute to be sent in e-mails: 


Add authentication services as request attributes 


dir_encentuate 


Encentuate AD 
Character I 


J 


O Add the IMS authentication services as Target Attributes by selecting Targets 
> > Attributes > > Target > > Select button (Encentuate IMS Server) > > Add. 

The target attribute name should be the authentication service ID, and the sup¬ 
ported actions are Copy, replacing ID and Set, with Set being the action to 
perform. The maximum number of values should be the same as that set for 
the request attributes, attribute type should be Character, and the request 
attribute should correspond to the appropriate one created in the previous 
step. 



Add target attributes (1) 
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Add target attributes (2) 


© Add the appropriate requester security access for the IMS attributes by select¬ 
ing Security >> Access control >> Requesters >> Attribute groups. Click the 
Add button to add the IMSATTRIBUTES group. 




< Back ^ i Home Q i Refresh 1 Logout 






Targets Workflow Inventory Web modules 

Security 

Maintenance 

Reports 

My passvrord | 

_ 


ID: administrator 
Name: administrator 

Console users 
Authentication 
Add users manually 
Password policy 
Access control 


Systems interfaces 
Access certification 
Options 


| Authorizes | [ Requesters | | Recipients 


Add attribute group 


ID: 

Description: 
Display type: 


|lMS ATTRIBUTES 
|lMS Wallet Attributes 

| Main ^ 




Add IMSATTRIBUTES group for requester security access 


© Add the appropriate IMS attributes to the IMSATTRIBUTES group by clicking 
Details. For each attribute, click Include... button. Finally, assign the privileges 
to the requester group (Read and Write). 
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Add attributes to IMSATTRIBUTES group 



Assign privileges to requester group 


© Go to Home >> User administration >> New user profile to add a user. This 
should complete the process for creating a user with applications accounts 
populated in the Wallet. 

Creating Request Attributes for the user by adding application accounts to the 
Wallet. Actual provisioning of application accounts on the application servers 
are done by adding Resources, which are two separate processes. 



The provisioning of application accounts can only be done during user creation. 
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Provisioning setup and maintenance 

To provision a new user (M-Tech ID-Synch): 

O ID-Synch provides the IMS user names and initial passwords to ID-Synch- 
Encentuate provisioning agent, which in turn will provision the IMS users 
through the IMS Bridge. The password can be randomly-generated, or manu¬ 
ally assigned through ID-Synch. 

O The ID-Synch-Encentuate provisioning agent connects to the IMS Bridge to 
provision the IMS users using the IMS user name and password generated by 
ID-Synch. The users' Wallets will also be initialized on the IMS Server at this 
time such that account credentials can then be added to the Wallets. 



IMS user accounts should be created before other application accounts. Account 
credentials cannot be added to the user's Wallet before the users are provisioned 
on the IMS Server. 


o The users log on with their IMS user names and initial passwords when they 
use AccessAgent for the first time. They will be prompted to change the initial 
password and the Wallet containing the provisioned account credentials will 
be downloaded from the IMS Server. 

To de-provision users (M-Tech ID-Synch): 

O ID-Synch provides the IMS user ID of the users to be de-provisioned to ID- 
Synch-Encentuate provisioning agent. 

0 The ID-Synch-Encentuate provisioning agent connects to the IMS Bridge and 
revokes the IMS users. The revocation of the IMS users will invalidate both the 
users' accounts and the users' Wallets on the server. 

© If the users attempt to log on using AccessAgent, the log on will fail and Wal¬ 
lets that have been cached locally by AccessAgent will be revoked. 


Provisioning setup and maintenance 
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APPENDICES 



Appendices 


Refer to the following appendices for more useful information on integrating 
provisioning solutions with Encentuate 1AM: 

■ Appendix A: Configuring The IMS Server 

■ Appendix B: WSDL for Server Authentication 

■ Appendix C: WSDL for Provisioning Service 

■ Appendix D: Troubleshooting 

■ Appendix e: Kevtool 
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Configuring The IMS Server 


To configure the IMS Server: 

O Use the IMS Configuration Utility (Authentication Services section) to add the 
authentication services of the applications to be provisioned. 

0 Using AccessAdmin (under Authentication service policies section), configure 
each authentication service to use the appropriate authentication modes (e.g.. 
Password). 

Q The provisioning agent needs to authenticate with the IMS Server before it can 
call the provisioning services. This authentication is done through using a 
shared secret between the provisioning agent and the IMS Server. 

Use the IMS Configuration Utility (IMS Bridges section) to configure these set¬ 
tings. Alternatively, the shared secret can be configured in the IMS configura¬ 
tion file <IMS Installation Folder>\ims\config\ims.xml with the following 
entries: 

<auth.server.agent.clientlp> 

Cvalue xml:lang="en">10.1.16.60</value> 

</auth.server.agent.clientlp> 


<auth.server.agent.password> 

•Cvalue xml:lang="en">sharedsecret</value> 

</auth.server.agent.password> 

The above configuration means that the provisioning agent with server ID agent is 
deployed on a machine with IP address 10.1.16.60. It is allowed to log on to the 
IMS Server with server ID agent and password sharedsecret. 



Restart the IMS Server after completing the configuration. When the IMS Server 
starts, it encrypts the password and replaces the clear text password with the 
encrypted password in the configuration file. 
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WSDL for Server 
Authentication 


The WSDL for the server authentication API can be obtained from an installed IMS 
Server at the following URL (imsserver should be replaced by the hostname of your 

IMS Server): https://imsserver/ims/services/ 
encentuate. ims. service. ServerAuthentication?wsd I 


It is also reproduced here for reference: 

<?xml version="l.0" encoding="UTF-8"?> 

<wsdldefinitions targetNamespace="https://imsserver/ims/ 

services/encentuate.ims.service.ServerAuthentication" 

xmlns="http://schemas.xmlsoap.org/wsdl/" 

xmlns:apachesoap="http://xml.apache.org/xml-soap" 

xmlns:impl="https://imsserver/ims/services/ 

encentuate.ims.service.ServerAuthentication" 

xmlns:intf="https://imsserver/ims/services/ 

encentuate.ims.service.ServerAuthentication" 

xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" 

xmlns:tnsl="http://result.ims.encentuate" xmlns:wsdl="http:// 

schemas.xmlsoap.org/wsdl/" xmlns:wsdlsoap="http:// 

schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/ 

2001/XMLSchema"Xwsdl: typesXschema targetNamespace="http: // 

result.ims.encentuate" xmlns="http://www.w3.org/2001/ 

XMLSchema"Ximport namespace="http://schemas.xmlsoap.org/soap/ 

encoding/ "/XcomplexType 

name="ResultMessage"XsequenceXelement name="resultCode" 
type="xsd:int"/Xelement name="resultString" nillable="true" 
type="xsd: string" /X/sequenceX/complexTypeXelement 
name="ResultMessage" nillable="true" type="tnsl:ResultMessage"/ 
X/schemaX/wsdl: types> 

<wsdl:message name="loginByPasswordResponse"> 

<wsdl:part name="loginByPasswordReturn" 
type="tnsl:ResultMessage"/> 

</wsdl:message> 

<wsdl:message name="terminateSessionResponse"> 

<wsdl:part name="terminateSessionReturn" type="xsd:int"/> 





</wsdl:message> 


<wsdlrmessage name="loginByPasswordRequest"> 

<wsdl:part name="serverld" type="xsd:string"/> 

<wsdl:part name="password" type="xsd:string"/> 

</wsdl:message> 

<wsdl:message name="terminateSessionRequest"> 

<wsdl:part name="sessionKey" type="xsd:string"/> 

</wsdl:message> 

<wsdlrportType name="ServerAuthentication"> 

<wsdl:operation name="terminateSession" 
parameterOrder="sessionKey"> 

<wsdl:input message="impl:terminateSessionRequest" 
name="terminateSessionRequest"/> 

<wsdl:output message="impl:terminateSessionResponse" 
name="terminateSessionResponse"/> 

</wsdl:operation> 

<wsdl:operation name="loginByPassword" 
parameterOrder="serverId password"> 

<wsdl:input message="impl:loginByPasswordRequest" 
name="loginByPasswordRequest"/> 

<wsdl:output message="impl:loginByPasswordResponse" 
name="loginByPasswordResponse"/> 

</wsdl:operation> 

</wsdl:portType> 

<wsdl:binding 

name=”encentuate.ims.service.ServerAuthenticationSoapBinding" 
type="impl:ServerAuthentication"> 

<wsdlsoap:binding style="rpc" transport="http:// 
schemas.xmlsoap.org/soap/http"/> 

<wsdl:operation name="terminateSession"> 

<wsdlsoap:operation soapAction="soapAction=""/> 

<wsdl:input name="terminateSessionRequest"> 

<wsdlsoap:body encodingStyle="http://schemas.xmlsoap.org/soap/ 
encoding/" namespace="https://imsserver/ims/services/ 
encentuate.ims.service.ServerAuthentication" use=”encoded"/> 
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</wsdl:input> 


<wsdl:output name="terminateSessionResponse"> 

<wsdlsoap:body encodingStyle="http://schemas.xmlsoap.org/soap/ 
encoding/" namespace="https://imsserver/ims/services/ 
encentuate.ims.service.ServerAuthentication" use=”encoded"/> 

</wsdl:output> 

</wsdl:operation> 

<wsdl:operation name="loginByPassword"> 

<wsdlsoap:operation soapAction="soapAction=""/> 

<wsdl:input name="loginByPasswordRequest"> 

<wsdlsoap:body encodingStyle="http://schemas.xmlsoap.org/soap/ 
encoding/" namespace="https://imsserver/ims/services/ 
encentuate.ims.service.ServerAuthentication" use=”encoded”/> 

</wsdl:input> 

<wsdl:output name="loginByPasswordResponse"> 

<wsdlsoap:body encodingStyle="http://schemas.xmlsoap.org/soap/ 
encoding/" namespace="https://imsserver/ims/services/ 
encentuate.ims.service.ServerAuthentication" use=”encoded"/> 

</wsdl:output> 

</wsdl:operation> 

</wsdl:binding> 

<wsdl:service name="ServerAuthenticationService"> 

<wsdl:port 

binding="impl:encentuate.ims.service.ServerAuthenticationSoapBi 
nding" name="encentuate.ims.service.ServerAuthentication"> 

<wsdlsoap:address location="https://imsserver/ims/services/ 
encentuate.ims.service.ServerAuthentication"/> 

</wsdl:port> 

</wsdl:service> 

</wsdl:definitions> 
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WSDL for Provisioning 
Service 


The WSDL for the provisioning service API can be obtained from an installed IMS 
Server at the following URL (imsserver should be replaced by the hostname of your 

IMS Server): https://imsserver/ims/services/ 
encentuate. ims. service. ProvisioninaService?wsdl 


It is also reproduced here for reference: 

<?xml version="l.0" encoding="UTF-8"?> 

<wsdldefinitions targetNamespace=""https://imsserver/ims/ 

services/encentuate.ims.service.ProvisioningService" 

xmlns="http://schemas.xmlsoap.org/wsdl/" 

xmlns:apachesoap="http://xml.apache.org/xml-soap" 

xmlns:impl="https://imsserver/ims/services/ 

encentuate.ims.service.ProvisioningService" xmlns:intf="https:/ 
/imsserver/ims/services/ 

encentuate.ims.service.ProvisioningService" 

xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" 

xmlns:tnsl="http://result.ims.encentuate" xmlns:wsdl="http:// 

schemas.xmlsoap.org/wsdl/" xmlns:wsdlsoap="http:// 

schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/ 

2001/XMLSchema"Xwsdl: typesXschema targetNamespace="http: // 

result.ims.encentuate" xmlns="http://www.w3.org/2001/ 

XMLSchema"Ximport namespace="http://schemas.xmlsoap.org/soap/ 

encoding/ "/XcomplexType name="NameValue"XsequenceXelement 

name="name" nillable="true" type="xsd:string"/Xelement 

name="value" nillable="true" type="xsd: string"/X/sequenceX/ 

complexTypeXcomplexType 

name="ResultMessage"XsequenceXelement name="resultCode" 
type="xsd:int"/Xelement name="resultString" nillable="true" 
type="xsd: string" /X/sequenceX/complexTypeXelement 
name="ResultMessage" nillable="true" type="tnsl:ResultMessage"/ 
XcomplexType name="ResultArrayMap"XsequenceXelement 
name="maps" nillable="true" type="impl:ArrayOf_apachesoap_Map"/ 
Xelement name="resultCode" type="xsd: int"/X/sequenceX/ 
complexTypeXelement name="ResultArrayMap" nillable="true" 
type=" tnsl: ResultArrayMap" /X/schemaXschema 
targetNamespace="https://imsserver/ims/services/ 
encentuate.ims.service.ProvisioningService" xmlns="http:// 
www. w3 . org/2001/XMLSchema"Ximport namespace="http: // 
schemas.xmlsoap.org/soap/encoding/"/XcomplexType 





name="ArrayOf_tnsl_NameValue"XcomplexContentXrestriction 
base="soapenc:Array"Xattribute ref="soapenc:arrayType" 
wsdl: arrayType="tnsl :NameValue[] "/X/restrictionX/ 
complexContentX/complexTypeXelement 
name="ArrayOf_tnsl_NameValue" nillable="true" 
type="impl: ArrayOf_tnsl_NameValue"/XcomplexType 
name="ArrayOf_apachesoap_Map"XcomplexContentXrestriction 
base="soapenc:Array"Xattribute ref="soapenc:arrayType" 
wsdl: arrayType="apachesoap :Map [] "/X/restrictionX/ 
complexContentX/complexTypeX/schemaXschema 

targetNamespace="http://xml.apache.org/xml-soap" xmlns="http:// 
www. w3 . org/2001/XMLSchema"Ximport namespace="http: // 
schemas .xmlsoap . org/soap/encoding/"/XcomplexType 
name="Map"XsequenceXelement maxOccurs=" unbounded" 
minOccurs=" 0" name="item"XcomplexTypeXallXelement name="key" 
type="xsd:anyType"/Xelement name="value" type="xsd:anyType"/ 
X/allX/complexTypeX/elementX/sequenceX/complexTypeX/ 
schemaX/wsdl: types> 

<wsdl:message name="revokeImsAccountUsingAttrsRequest"> 

<wsdl:part name="sessionId" type="xsd:string"/> 

<wsdl:part name="attributes" 
type="impl:ArrayOf_tnsl_NameValue"/> 

</wsdl:message> 

<wsdl:message name="preProvisionImsUserWithEntIdResponse"> 

<wsdl:part name="preProvisionImsUserWithEntIdReturn" 
type="xsd:int"/> 

</wsdl:message> 

<wsdl:message name="createWalletResponse"> 

<wsdl:part name="createWalletReturn" 
type="tnsl:ResultMessage"/> 

</wsdl:message> 

<wsdlrmessage name="setAccountCredentialResponse"> 

<wsdl:part name="setAccountCredentialReturn" 
type="xsd:int"/> 

</wsdl:message> 

<wsdl:message name="deleteImsAccountResponse"> 

<wsdl:part name="deleteImsAccountReturn" type="xsd:int"/> 

</wsdl:message> 

<wsdl:message name="revokeImsAccountResponse"> 

<wsdl:part name="revokeImsAccountReturn" type="xsd:int"/> 
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</wsdl:message> 


<wsdl:message name= 
<wsdl:part name= 
<wsdl:part name= 
<wsdl:part name= 
</wsdl:message> 
<wsdl:message name= 
<wsdl:part name= 
<wsdl:part name= 
<wsdl:part name= 
<wsdl:part name= 
<wsdl:part name= 
<wsdl:part name= 
</wsdl:message> 
<wsdl:message name= 
<wsdl:part name= 
<wsdl:part name= 
<wsdl:part name= 
<wsdl:part name= 
<wsdl:part name= 
</wsdl:message> 
<wsdl:message name= 
<wsdl:part name= 
<wsdl:part name= 
<wsdl:part name= 
<wsdl:part name= 
<wsdl:part name= 
<wsdl:part name= 
</wsdl:message> 


"createWalletRequest"> 

"sessionld" type="xsd:string"/> 
"enterpriseld" type="xsd:string"/> 
"walletld" type="xsd:string"/> 

"removeAccountCredentialWithEntIdRequest"> 
"sessionld" type="xsd:string"/> 
"adminEntld" type="xsd:string"/> 
"enterpriseld" type="xsd:string"/> 

"authld" type="xsd:string"/> 

"accountType" type="xsd:string"/> 
"username" type="xsd:string"/> 

"removeAccountCredentialRequest"> 
"sessionld" type="xsd:string"/> 
"enterpriseld" type="xsd:string"/> 

"authld" type="xsd:string"/> 

"accountType" type="xsd:string"/> 
"username" type="xsd:string"/> 

" setAccountCredentialRequest"> 

"sessionld" type="xsd:string"/> 
"enterpriseld" type="xsd:string"/> 

"authld" type="xsd:string"/> 

"accountType" type="xsd:string"/> 
"username" type="xsd:string"/> 

"password" type="xsd:string"/> 
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<wsdlrmessage name="revokeImsAccountUsingAttrsResponse"> 

<wsdl:part name="revokeImsAccountUsingAttrsReturn" 
type="xisd: int"/> 

</wsdl:message> 

<wsdlrmessage name="revokeImsAccountWithEntIdResponse"> 

<wsdl:part name="revokeImsAccountWithEntIdReturn" 
type="x s d:int"/> 

</wsdl:message> 

<wsdl:message name="getProvisioningCertResponse"> 

<wsdl:part name="getProvisioningCertReturn" 
type="tnsl:ResultMessage"/> 

</wsdl:message> 

<wsdl:message name="getUserAccountsRequest"> 

<wsdl:part name="sessionId" type="xsd:string"/> 
<wsdl:part name="enterpriseld" type="xsd:string"/> 

</wsdl:message> 

<wsdl:message name="deleteImsAccountRequest"> 

<wsdl:part name="sessionId" type="xsd:string"/> 
<wsdl:part name="enterpriseld" type="xsd:string"/> 

</wsdl:message> 

<wsdl:message name="deleteImsAccountUsingAttrsRequest"> 

<wsdl:part name="sessionId" type="xsd:string"/> 

<wsdl:part name="attributes" 
type="impl:ArrayOf_tnsl_NameValue"/> 

</wsdl:message> 

<wsdl:message name="removeAccountCredentialResponse"> 

<wsdl:part name="removeAccountCredentialReturn" 
type="xsd:int"/> 

</wsdl:message> 

<wsdl:message name="addAccountCredentialWithEntIdResponse"> 

<wsdl:part name="addAccountCredentialWithEntIdReturn" 
type="xsd:int"/> 
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</wsdl:message> 


<wsdl:message name="removeAccountCredentialWithEntIdResponse"> 

<wsdl:part name="removeAccountCredentialWithEntIdReturn" 
type="xsd:int"/> 

</wsdl:message> 

<wsdl:message name="deleteImsAccountWithEntIdResponse"> 

<wsdl:part name="deleteImsAccountWithEntIdReturn" 
type="xsd:int"/> 

</wsdl:message> 

<wsdl:message name="getUserAccountsResponse"> 

<wsdl:part name="getUserAccountsReturn" 
type="tnsl:ResultArrayMap"/> 

</wsdl:message> 

<wsdl:message name="preProvisionImsUserRequest"> 

<wsdl:part name="sessionId" type="xsd:string"/> 

<wsdl:part name="enterpriseld" type="xsd:string"/> 

<wsdl:part name="initialPassword" type="xsd:string"/> 

<wsdl:part name="attributes" 
type="impl:ArrayOf_tnsl_NameValue"/> 

</wsdl:message> 

<wsdl:message name="setAccountCredentialWithEntIdRequest"> 
<wsdl:part name="sessionId" type="xsd:string"/> 

<wsdl:part name="enterpriseld" type="xsd:string"/> 
<wsdl:part name="adminEntId" type="xsd:string"/> 

<wsdl:part name="authld" type="xsd:string"/> 

<wsdl:part name="accountType" type="xsd:string"/> 
<wsdl:part name="username" type="xsd:string"/> 

<wsdl:part name="password" type="xsd:string"/> 

</wsdl:message> 

<wsdl:message name="preProvisionImsUserWithEntIdRequest"> 
<wsdl:part name="session!d" type="xsd:string"/> 
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<wsdl:part name="enterpriseld" type="xsd:string"/> 

<wsdl:part name="adminEntId" type="xsd:string"/> 

<wsdl:part name="initialPassword" type="xsd:string"/> 

<wsdl:part name="attributes" 
type=”impl:ArrayOf_tnsl_NameValue"/> 

</wsdl:message> 

<wsdl:message name="revokeImsAccountWithEntIdRequest"> 
<wsdl:part name="sessionId" type="xsd:string"/> 
<wsdl:part name="enterpriseld" type="xsd:string"/> 
<wsdl:part name="adminEntId" type="xsd:string"/> 

</wsdl:message> 

<wsdlrmessage name="revokeImsAccountRequest"> 

<wsdl:part name="sessionId" type="xsd:string"/> 
<wsdl:part name="enterpriseld" type="xsd:string"/> 
</wsdl:message> 

<wsdl:message name="getRegistrationStatusResponse"> 

<wsdl:part name="getRegistrationStatusReturn" 
type="xsd:int"/> 

</wsdl:message> 

<wsdl:message name="deleteImsAccountWithEntIdRequest"> 
<wsdl:part name="sessionId" type="xsd:string"/> 
<wsdl:part name="enterpriseld" type="xsd:string"/> 
<wsdl:part name="adminEntId" type="xsd:string"/> 

</wsdl:message> 

<wsdl:message name="getProvisioningCertRequest"> 
<wsdl:part name="sessionId" type="xsd:string"/> 
<wsdl:part name="enterpriseld" type="xsd:string"/> 
</wsdl:message> 

<wsdlrmessage name="addAccountCredentialWithEntIdRequest"> 
<wsdl:part name="sessionId" type="xsd:string"/> 
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<wsdl:part name="enterpriseld" type="xsd:string"/> 


<wsdl:part name= 

<wsdl:part name= 

<wsdl:part name= 

<wsdl:part name= 

<wsdl:part name= 

</wsdl:message> 

<wsdl:message name= 

<wsdl:part name= 
type="xsd:int"/> 

</wsdl:message> 

<wsdl:message name= 

<wsdl:part name= 

<wsdl:part name= 

</wsdl:message> 

<wsdl:message name= 

<wsdl:part name= 
type="xsd:int"/> 

</wsdl:message> 

<wsdl:message name= 

<wsdl:part name= 

> 

</wsdl:message> 
<wsdl:message name= 
<wsdl:part name= 
<wsdl:part name= 
<wsdl:part name= 
<wsdl:part name= 
<wsdl:part name= 
<wsdl:part name= 
</wsdl:message> 


"adminEntld" type="xsd:string"/> 
"authld" type="xsd:string"/> 
"accountType" type="xsd:string"/> 
"username" type="xsd:string"/> 
"password" type="xsd:string"/> 

"addAccountCredentialResponse"> 

"addAccountCredentialReturn" 


"getRegistrationStatusRequest"> 
"sessionld" type="xsd:string"/> 
"enterpriseld" type="xsd:string"/> 

"deleteImsAccountUsingAttrsResponse"> 

"deletelmsAccountUsingAttrsReturn" 


"preProvisionImsUserResponse"> 
"preProvisionlmsUserReturn" type="xsd:int"/ 


"addAccountCredentialRequest"> 
"sessionld" type="xsd:string"/> 
"enterpriseld" type="xsd:string"/> 
"authld" type="xsd:string"/> 
"accountType" type="xsd:string"/> 
"username" type="xsd:string"/> 
"password" type="xsd:string"/> 
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<wsdl:message name="setAccountCredentialWithEntIdResponse"> 


<wsdl:part name="setAccountCredentialWithEntIdReturn" 
type="xsd:int"/> 

</wsdl:message> 

<wsdlrportType name="ProvisioningService"> 

<wsdl:operation name="getRegistrationStatus" 
parameterOrder="sessionId enterpriseld"> 

<wsdl:input message="impl:getRegistrationStatusRequest" 
name="getRegistrationStatusRequest"/> 

<wsdl:output message="impl:getRegistrationStatusResponse" 
name="getRegistrationStatusResponse"/> 

</wsdl:operation> 

<wsdl:operation name="preProvisionImsUser" 
parameterOrder="sessionId enterpriseld initialPassword 
attributes'^ 

<wsdl:input message="impl:preProvisionlmsUserRequest" 
name="preProvisionImsUserRequest"/> 

<wsdl:output message="implrpreProvisionlmsUserResponse" 
name="preProvisionImsUserResponse"/> 

</wsdl:operation> 

<wsdl:operation name="preProvisionImsUserWithEntId" 
parameterOrder="sessionId enterpriseld adminEntld 
initialPassword attributes'^ 

<wsdl:input 

message="implrpreProvisionlmsUserWithEntldRequest" 
name="preProvisionImsUserWithEntIdRequest"/> 

<wsdl:output 

messages"implrpreProvisionlmsUserWithEntldResponse" 
name="preProvisionImsUserWithEntIdResponse"/> 

</wsdl:operation> 

<wsdl:operation name="createWallet" 
parameterOrder="sessionId enterpriseld walletld"> 

<wsdl:input message="impl:createWalletRequest" 
name="createWalletRequest"/> 

<wsdl:output messages”impl:createWalletResponse" 
name="createWalletResponse"/> 

</wsdl:operation> 
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<wsdl:operation name="getProvisioningCert" 
parameterOrder="sessionId enterpriseld"> 

<wsdl:input message="impl:getProvisioningCertRequest" 
name="getProvisioningCertRequest"/> 

<wsdl:output message="impl:getProvisioningCertResponse" 
name="getProvisioningCertResponse"/> 

</wsdl:operation> 

<wsdl:operation name="addAccountCredential" 
parameterOrder="sessionId enterpriseld authld accountType 
username password"> 

<wsdl:input message="impl:addAccountCredentialRequest" 
name="addAccountCredentialRequest"/> 

<wsdl:output message="impl:addAccountCredentialResponse" 
name="addAccountCredentialResponse"/> 

</wsdl:operation> 

<wsdl:operation name="addAccountCredentialWithEntld" 
parameter0rder="sessionld enterpriseld adminEntld authld 
accountType username password"> 

<wsdl:input 

message="impl:addAccountCredentialWithEntldRequest" 
name="addAccountCredentialWithEntIdRequest"/> 

<wsdl:output 

message="impl:addAccountCredentialWithEntldResponse" 
name="addAccountCredentialWithEntIdResponse"/> 

</wsdl:operation> 

<wsdl:operation name="removeAccountCredential" 
parameter0rder="sessionld enterpriseld authld accountType 
username"> 

<wsdl:input message="impl:removeAccountCredentialRequest" 
name="removeAccountCredentialRequest"/> 

<wsdl:output 

message="impl:removeAccountCredentialResponse" 
name="removeAccountCredentialResponse"/> 

</wsdl:operation> 

<wsdl:operation name="removeAccountCredentialWithEntld" 
parameter0rder="sessionld adminEntld enterpriseld authld 
accountType username"> 

<wsdl:input 

message="impl:removeAccountCredentialWithEntldRequest" 
name="removeAccountCredentialWithEnt!dRequest"/> 
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<wsdl:output 

message="impl:removeAccountCredentialWithEntldResponse" 
name="removeAccountCredentialWithEntIdResponse"/> 

</wsdl:operation> 

<wsdl:operation name="setAccountCredential" 
parameterOrder="sessionId enterpriseld authld accountType 
username password"> 

<wsdl:input message="impl:setAccountCredentialRequest" 
name="setAccountCredentialRequest"/> 

<wsdl:output messages”impl:setAccountCredentialResponse" 
name="setAccountCredentialResponse"/> 

</wsdl:operation> 

<wsdl:operation name="setAccountCredentialWithEntld" 
parameterOrder="sessionId enterpriseld adminEntld authld 
accountType username password"> 

<wsdl:input 

messages"impl:setAccountCredentialWithEntldRequest" 
name="setAccountCredentialWithEntIdRequest"/> 

<wsdl:output 

messages"impl:setAccountCredentialWithEntldResponse" 
name="setAccountCredentialWithEntIdResponse"/> 

</wsdl:operation> 

<wsdl:operation name="revokeImsAccountUsingAttrs" 
parameterOrder="sessionId attributes'^ 

<wsdl:input 

messages"impl:revokelmsAccountUsingAttrsRequest" 
name="revokelmsAccountUsingAttrsRequest"/> 

<wsdl:output 

message="impl:revokelmsAccountUsingAttrsResponse" 
name=”revokelmsAccountUsingAttrsResponse"/> 

</wsdl:operation> 

<wsdl:operation name="deleteImsAccountUsingAttrs" 
parameter0rder="sessionld attributes'^ 

<wsdl:input 

messages"impl:deletelmsAccountUsingAttrsRequest" 
name="deletelmsAccountUsingAttrsRequest"/> 

<wsdl:output 

message="impl:deletelmsAccountUsingAttrsResponse" 
name="deletelmsAccountUsingAttrsResponse"/> 

</wsdl:operation> 
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<wsdl:operation name="revokelmsAccount" 
parameterOrder="sessionId enterpriseld"> 

<wsdl:input message="impl:revokelmsAccountRequest" 
name="revokeImsAccountRequest"/> 

<wsdl:output message="impl:revokelmsAccountResponse" 
name="revokelmsAccountResponse"/> 

</wsdl:operation> 

<wsdl:operation name="revokeImsAccountWithEntId" 
parameter0rder="sessionld enterpriseld adminEntId"> 

<wsdl:input 

message="impl:revokelmsAccountWithEntldRequest" 
name="revokeImsAccountWithEntIdRequest"/> 

<wsdl:output 

message="impl:revokelmsAccountWithEntldResponse" 
name="revokeImsAccountWithEntIdResponse"/> 

</wsdl:operation> 

<wsdl:operation name="deleteImsAccount" 
parameter0rder="sessionld enterpriseld"> 

<wsdl:input message="impl:deletelmsAccountRequest" 
name="deleteImsAccountRequest"/> 

<wsdl:output message="impl:deletelmsAccountResponse" 
name="deleteImsAccountResponse"/> 

</wsdl:operation> 

<wsdl:operation name="deleteImsAccountWithEntId" 
parameter0rder="sessionld enterpriseld adminEntId"> 

<wsdl:input 

message="impl:deletelmsAccountWithEntldRequest" 
name="deleteImsAccountWithEntIdRequest"/> 

<wsdl:output 

message="impl:deletelmsAccountWithEntldResponse" 
name="deleteImsAccountWithEntIdResponse"/> 

</wsdl:operation> 

<wsdl:operation name="getUserAccounts" 
parameter0rder="sessionld enterpriseld"> 

<wsdl:input message="impl:getUserAccountsRequest" 
name="getUserAccountsRequest"/> 

<wsdl:output message="impl:getUserAccountsResponse" 
name="getUserAccountsResponse"/> 

</wsdl:operation> 
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</wsdl:portType> 


<wsdl:binding 

name="encentuate.ims.service.ProvisioningServiceSoapBinding" 
type="impl:ProvisioningService"> 

<wsdlsoap:binding style="rpc" transport="http:// 
schemas.xmlsoap.org/soap/http"/> 

<wsdl:operation name="getRegistrationStatus"> 

<wsdlsoap:operation soapAction=""/> 

<wsdl:input name="getRegistrationStatusRequest"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:input> 

<wsdl:output name="getRegistrationStatusResponse"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
imsserver/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:output> 

</wsdl:operation> 

<wsdl:operation name="preProvisionImsUser"> 

<wsdlsoap:operation soapAction=""/> 

<wsdl:input name="preProvisionImsUserRequest"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:input> 

<wsdl:output name="preProvisionImsUserResponse"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
imsserver/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:output> 

</wsdl:operation> 

<wsdl:operation name="preProvisionImsUserWithEntId"> 
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<wsdlsoap:operation soapAction=""/> 


<wsdl:input name="preProvisionImsUserWithEntIdRequest"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:input> 

<wsdl:output name="preProvisionImsUserWithEntIdResponse"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:output> 

</wsdl:operation> 

<wsdl:operation name="createWallet"> 

<wsdlsoap:operation soapAction=""/> 

<wsdl:input name="createWalletRequest"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:input> 

<wsdl:output name="createWalletResponse"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:output> 

</wsdl:operation> 

<wsdl:operation name="getProvisioningCert"> 

<wsdlsoap:operation soapAction=""/> 

<wsdl:input name="getProvisioningCertRequest"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:input> 
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<wsdl:output name="getProvisioningCertResponse"> 


<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:output> 

</wsdl:operation> 

<wsdl:operation name="addAccountCredential"> 

<wsdlsoap:operation soapAction=""/> 

<wsdl:input name="addAccountCredentialRequest"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:input> 

<wsdl:output name="addAccountCredentialResponse"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:output> 

</wsdl:operation> 

<wsdl:operation name="addAccountCredentialWithEntld"> 
<wsdlsoap:operation soapAction=""/> 

<wsdl:input name="addAccountCredentialWithEntIdRequest"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:input> 

<wsdl:output 

name="addAccountCredentialWithEntIdResponse"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:output> 
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</wsdl:operation> 


<wsdl:operation name="removeAccountCredential"> 

<wsdlsoap:operation soapAction=""/> 

<wsdl:input name="removeAccountCredentialRequest"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:input> 

<wsdl:output name="removeAccountCredentialResponse"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:output> 

</wsdl:operation> 

<wsdl:operation name="removeAccountCredentialWithEntId"> 
<wsdlsoap:operation soapAction=""/> 

<wsdl:input 

name="removeAccountCredentialWithEntIdRequest"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
imsserver/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:input> 

<wsdl:output 

name="removeAccountCredentialWithEntIdResponse"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:output> 

</wsdl:operation> 

<wsdl:operation name="setAccountCredential"> 

<wsdlsoap:operation soapAction=""/> 

<wsdl:input name="setAccountCredentialRequest"> 
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<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:input> 

<wsdl:output name="setAccountCredentialResponse"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:output> 

</wsdl:operation> 

<wsdl:operation name="setAccountCredentialWithEntId"> 
<wsdlsoap:operation soapAction=""/> 

<wsdl:input name="setAccountCredentialWithEntIdRequest"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:input> 

<wsdl:output 

name="setAccountCredentialWithEntIdResponse"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:output> 

</wsdl:operation> 

<wsdl:operation name="revokeImsAccountUsingAttrs"> 
<wsdlsoap:operation soapAction=""/> 

<wsdl:input name="revokeImsAccountUsingAttrsRequest"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:input> 

<wsdl:output name="revokeImsAccountUsingAttrsResponse"> 
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<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:output> 

</wsdl:operation> 

<wsdl:operation name="deleteImsAccountUsingAttrs"> 
<wsdlsoap:operation soapAction=""/> 

<wsdl:input name="deleteImsAccountUsingAttrsRequest"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:input> 

<wsdl:output name="deleteImsAccountUsingAttrsResponse"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:output> 

</wsdl:operation> 

<wsdl:operation name=”revokelmsAccount”> 

<wsdlsoap:operation soapAction=""/> 

<wsdl:input name="revokeImsAccountRequest"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:input> 

<wsdl:output name="revokelmsAccountResponse"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
imsserver/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:output> 

</wsdl:operation> 

<wsdl:operation name="revokelmsAccountWithEntld"> 


^ 1 9 


Appendix C: WSDL for Provisioning Service 



<wsdlsoap:operation soapAction=""/> 


<wsdl:input name="revokeImsAccountWithEntIdRequest"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:input> 

<wsdl:output name="revokeImsAccountWithEntIdResponse"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:output> 

</wsdl:operation> 

<wsdl:operation name="deleteImsAccount"> 

<wsdlsoap:operation soapAction=""/> 

<wsdl:input name="deleteImsAccountRequest"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:input> 

<wsdl:output name="deleteImsAccountResponse"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:output> 

</wsdl:operation> 

<wsdl:operation name="deleteImsAccountWithEntId"> 
<wsdlsoap:operation soapAction=""/> 

<wsdl:input name="deleteImsAccountWithEntIdRequest"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:input> 


1 20 


Appendix C: WSDL for Provisioning Service 



<wsdl:output name="deleteImsAccountWithEntIdResponse"> 


<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:output> 

</wsdl:operation> 

<wsdl:operation name="getUserAccounts"> 

<wsdlsoap:operation soapAction=""/> 

<wsdl:input name="getUserAccountsRequest"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:input> 

<wsdl:output name="getOserAccountsResponse"> 

<wsdlsoap:body encodingstyle="http:// 
schemas.xmlsoap.org/soap/encoding/" namespace="https:// 
ims server/ims/services/ 

encentuate.ims.service.ProvisioningService" use="encoded"/> 
</wsdl:output> 

</wsdl:operation> 

</wsdl:binding> 

<wsdl:service name="ProvisioningServiceService"> 

<wsdl:port 

binding="impl:encentuate.ims.service.ProvisioningServiceSoapBin 
ding" name="encentuate.ims.service.ProvisioningService"> 

<wsdlsoap:address location="https://imsserver/ims/ 
services/encentuate.ims.service.ProvisioningService"/> 

</wsdl:port> 

</wsdl:service> 

</wsdl:definitions> 
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Troubleshooting 


Refer to the following topics to find a solution to specific issues: 

■ Logs for HIM and WebSphere Application Server 

■ Exceptions like ClassNotFoundException and LinkaaeError 

■ Exceptions like javax.net.ssl.SSLHandshakeException or java.net.SocketExcep- 

tion 

■ Error Message: No security provider for the algorithm that encrypts provi¬ 

sioned passwords 

■ Accessing HIM, WebSphere Admin Console and IBM Tivoli Directory Server 

■ Enabling copy and paste function in the HIM workflow designer applet 

M Expiry of JCE crypto certificates when using IBM'S JRE 


Logs for HIM and WebSphere Application Server 

The HIM 4.6 log file path is specified in enRoleLogging.properties located in 
<ITIM_HOME>\data directory. The default file name is trace.log. 

For ITIM 4.5, the ITIM logs are at <WEBSPHERE_HOME>\logs\itim.log. 

WebSphere logs can be found at 

<WEBSPHERE_HOME>\logs\server1 \SystemOut.log and 
< WE BSPHERE_HOME>\logs\serverl \SystemErr.log. 

Exceptions like ClassNotFoundException and LinkageError 

If you deploy the provisioning bridge in an application server such as Weblogic or 
Websphere, you may get errors like "ClassNotFoundException because of conflicts 
between libraries shipped with the provisioning bridge and the host application 
server". 

To understand such issues, refer to documentation about class loader mechanisms 
in the application server. Then, search in library folders used by different class 
loaders to determine those conflicted libraries. 











If possible, do not share libraries between the provisioning bridge and other 
modules. This can be done by putting the provisioning bridge into a separate EAR 
module, etc. 

Otherwise, attempt to resolve the library conflicts by removing libraries in the 
provisioning bridge (i.e., try to use the existing library in the application server). 
However, this may not work because this provisioning bridge may require libraries 
with specific versions. 

Exceptions like javax.net.ssl.SSLHandshakeException or 
java.net.SocketException 

Check if you pointed the provisioning bridge to the correct configuration file and 
check your configuration file to determine if the information about the truststore is 
correct. 

Make sure that the truststore contains the IMS Server's SSL certificate that 
communicates with the provisioning bridge. 

Note that the truststore specified in the configuration file for the provisioning 
bridge is not used if the Java system property javax.net.ssl.trustStore and 
javax.net.ssl.trustStorePassword is set before the provisioning bridge is initialized. 

To check which truststore is used, check the standard output from JVM (or console 
of application server). Provisioning bridge logs a message about the location of the 
truststore using INFO level. 



You may need to add an entry to log4j.properties like "log4j. logger.encentu- 
ate=INFO" to display this message. 


Error Message: No security provider for the algorithm that 
encrypts provisioned passwords 

You may need to put the provider JAR file (bcprovider-jdk**-***.jar) in the 
jre\lib\ext folder. 

Accessing ITIM, WebSphere Admin Console and IBM Tivoli 
Directory Server 

The ITIM III can be accessed at: http://<machine_name>/enrole/logon 

The WebSphere Admin Console can be accessed at: http:// 
<machine_name>:9090/admin/ 

The IBM Tivoli Directory Server can be accessed at: http:// 
<machine_name>:9080/IDSWebApp/IDSjsp/Login.jsp 
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Enabling copy and paste function in the HIM workflow 
designer applet 

The default Java sandbox security model does not grant clipboard permission to 
applet launched by browsers. Refer to the following article on steps to enable copy 
and paste: http://publib.boulder.ibm.com/tividd/td/ITIM/SC32-l 149-02/en US/ 
HTML/im451 poaall5.htm . 

Expiry of JCE crypto certificates when using IBM'S JRE 

For WebSphere Application Server version 5.0, the IBM® JCE certificate will expire 
on May 1 8, 2006 at 21:59:1 9 GMT, which causes an exception. 

IBM has released a patch to resolve this issue, which can be downloaded in the 
following location: http://www-l .ibm.com/support 
docview.wss?uid = swa24012195 . 
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Appendix D: Troubleshooting 



Key too I 


A keytool is a utility that is used to create keystores or import certificates. Refer to 
this appendix when you need to use a keytool and would need to refer to Sun's 
JRE's keytool for more guidance. This will minimize the effort of looking up the 
flags or parameters to provide. 

When using a keytool, you can refer to Sun's Java keytool documentation in: http:/ 
/java.sun.com/j2se/l .5.0/docs/tooldocs/solaris/kevtool.html . 

Below is an example of how to use the keytool: 

keytool -import -alias ims -file <certificate_file_path> - 
keystore <truststore_path> -storepass <truststore_password> 

Before running the keytool, obtain a certificate file first: 

O Use Internet Explorer to visit https://imsserver/ where imsserver is the IMS 
Server's hostname 

e Click the lock icon and select View certificates. 

© Click the Details tab. 

O Click the Copy to File... button. 

© Click Next. 

© Select Base-64 encoded X.509 format and proceed to save it to a file. 
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Glossary and Abbreviations 


AccessAdmin 

The management console used by 
individuals with the Administrator Role and/ 
or the Helpdesk Role to administer IMS 
Server, and to manage users and policies. 

AccessAgent 

The client software that manages the user's 
identity, enabling sign-on/sign-off 
automation and authentication 
management. 

AccessProfiles 

Short, structured XML files that enable single 
sign-on/sign-off automation for 
applications. AccessStudio can be used to 
generate AccessProfiles. 

AccessStudio 

The interface used to create AccessProfiles 
required to support end-point automation, 
including single sign-on, single sign-off, 
and customizable audit tracking. 

AD 

Microsoft Active Directory 

API 

Application Programming Interface 

application 

An application is a software product that 
provides a particular function. Examples 
include customer relationship management 
systems and supply-chain management 
systems. 

authentication factor 

The different devices, biometrics, or secrets 
required as credentials for validating digital 
identities (e.g., passwords, Encentuate USB 
Key, RFID, biometrics, and one-time 
password tokens). 


authentication service 

Verifies the validity of an account; 
Applications authenticate against their own 
user store or against a corporate directory. 

CA 

Certificate Authority 

CLT 

Command Line Tool 

DB 

Database 

DNS 

Domain Name Service 

DSML 

Directory Services Markup Language 

Enterprise Access Security (EAS) 

A technology that enables enterprises to 
simplify, strengthen and track access to 
digital assets and physical infrastructure. 

IDI 

IBM Tivoli Directory Integrator 

IMS Bridge 

For extending functionalities of third party 
programs, allowing them to communicate 
with IMS Server. 

IMS Configuration Utility 

A utility of the IMS Server that allows 
Administrators to manage lower-level 
configuration settings for the IMS Server. 
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IMS Connectors 

Add-ons to the Encentuate IMS Server that 
enable the IMS Server to interface with other 
applications as a client, extending the 
capability of the IMS Server. 

IMS Server 

An integrated management system that 
provides a central point of secure access 
administration for an enterprise. It enables 
centralized management of user identities, 
AccessProfiles, authentication policies, 
provides loss management, certificate 
management and audit management for 
the enterprise. 

ITAM (IBM Tivoli Access Manager) 

An integrated solution that provides a wide 
range of authorization and management 
solutions. This product can be used on 
various operating systems platforms such as 
Unix (AIX, Solaris, HP-UX), Linux, and 
Windows. 

ITIM (IBM Tivoli Identity Manager) 

A system that integrates with Encentuate 1AM 
to provide identity lifecycle management for 
application users. 

JCE 

Java Cryptographic Extension 

JVM 

Java Virtual Machine 

JSSE 

Java Secure Socket Extension 

LDAP 

Lightweight Directory Access Protocol 

M-Tech ID-Synch 

An enterprise user provisioning software 
used by organizations. 


Mobile Active Code (MAC) 

A one-time password that is randomly 
generated, event-based, and delivered via a 
secure second channel (e.g., SMS on mobile 
phones). 

One-Time Password (OTP) 

A one-use password generated for an 
authentication event (e.g., password reset), 
sometimes communicated between the 
client and the server via a secure channel 
(e.g., mobile phones). 

policy 

Governs the operation of Encentuate 1AM 
Enterprise, comprising of two (2) main sets: 
machine policies (managed through 
Windows GPO) and IMS-managed policies 
(managed through AccessAdmin). 

Provisioning API 

An interface that allows Encentuate 1AM to 
integrate with user provisioning systems. 

provisioning system 

A system that provides identity lifecycle 
management for application users in 
enterprises and manages their credentials. 

Radio Frequency Identification (RFID) 

A wireless technology that transmits product 
serial numbers from tags to a scanner, 
without human intervention. 

single sign-on 

A capability that allows a user to enter a 
user ID and password to access multiple 
applications. 

SOAP 

Simple Object Access Protocol 
SSL 

Secure Sockets Layer 
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USB Key/ USB token 

A portable and personalized device for 
storing user names, passwords, certificates, 
encryption keys, and other security 
credentials. 

user name (user ID) 

A unique identifier that differentiates the 
user from all other users in the system. 

Wallet 

An identity wallet that stores a user's access 
credentials and related information 
(including user IDs, passwords, certificates, 
encryption keys), each acting as the user's 
personal meta-directory. 

WebSphere Administrative Console 

A graphical administrative Java application 
client that makes method calls to resource 
beans in the administrative server to access 
or modify a resource within the domain. 


Glossary 
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